rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_web_server_sus_command_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_web_server_sus_child_spawned.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_web_server_sus_destination_port.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_message_of_the_day_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_grub_makeconfig.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_rc_script_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_web_server_sus_destination_port.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_linux_backdoor_user_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_generic_account_groups.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_chkconfig_service_add.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_shell_configuration_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_grub_configuration_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_extract_initramfs_via_cpio.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_simple_web_server_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_simple_web_server_connection_accepted.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_rc_local_service_already_running.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_openssl_passwd_hash_generation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_web_server_sus_destination_port.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_esxi_software_via_find.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sudo_hijacking.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_root_certificate_installation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_writable_docker_socket.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_grub_makeconfig.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_authorized_keys_file_deletion.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kill_command_executed.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_uid_change_post_compilation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_process_kill_threshold.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_data_encrypted_via_openssl.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_potential_linux_ransomware_note_detected.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_simple_web_server_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_potential_proot_exploits.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_file_deletion_via_shred.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_openssl_passwd_hash_generation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_simple_web_server_connection_accepted.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_grub_configuration_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_chisel_server_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_extract_initramfs_via_cpio.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_dac_permissions.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_hex_payload_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_netcon_via_sudo_binary.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_hex_payload_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_disable_apparmor_attempt.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_linux_chisel_client_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_authorized_keys_file_deletion.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_ld_so_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_esxi_process_kill.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_netcon_via_sudo_binary.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_disable_apparmor_attempt.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_file_deletion_via_shred.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_ld_so_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_memory_swap_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_kill_command_executed.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_mount_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_esxi_software_via_grep.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_potential_bruteforce_malware_infection.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_memory_swap_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_downloaded_shortcut_files.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_base64_decoding_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_docker_socket_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_docker_socket_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_base64_decoding_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_private_key_password_searching_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_startup_folder_scripts.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/discovery_security_file_access_via_common_utility.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_msbuild_making_network_connections.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_unusual_ads_file_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_bruteforce_admin_account.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_security_file_access_via_common_utility.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_lsass_memdump_file_created.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_named_pipe_impersonation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/discovery_private_key_password_searching_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/discovery_esxi_software_via_find.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_grub_configuration_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_esxi_software_via_grep.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_file_deletion_via_shred.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_rc_local_service_already_running.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_simple_web_server_connection_accepted.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_shell_configuration_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_root_certificate_installation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_lsass_openprocess_api.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_mount_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_cupsd_foomatic_rip_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_linux_chisel_client_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/command_and_control_linux_proxychains_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/credential_access_kerberoasting_unusual_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_esxi_process_kill.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/threat_intel/threat_intel_indicator_match_address.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_potential_bruteforce_malware_infection.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_web_server_sus_command_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_sudo_hijacking.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_pkexec_envar_hijack.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_esxi_software_via_grep.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_enlightenment_window_manager.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_linux_ssh_x11_forwarding.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/impact_data_encrypted_via_openssl.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_tunneling_via_earthworm.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/threat_intel/threat_intel_indicator_match_registry.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/privilege_escalation_enlightenment_window_manager.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/threat_intel/threat_intel_indicator_match_hash.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_teamviewer_remote_file_copy.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/privilege_escalation_overlayfs_local_privesc.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_grub_makeconfig.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/impact_process_kill_threshold.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_chisel_server_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_linux_backdoor_user_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_simple_web_server_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_pkexec_envar_hijack.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_overlayfs_local_privesc.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_potential_proot_exploits.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_linux_chisel_server_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_potential_proot_exploits.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_cupsd_foomatic_rip_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_message_of_the_day_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_mount_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_writable_docker_socket.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_ld_so_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/threat_intel/threat_intel_indicator_match_url.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/impact_process_kill_threshold.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_dac_permissions.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_linux_chisel_client_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_rc_script_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_linux_chisel_client_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_message_of_the_day_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_esxi_process_kill.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_web_server_sus_command_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_linux_chisel_server_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_shell_configuration_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_message_of_the_day_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_sudo_hijacking.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_data_encrypted_via_openssl.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_dac_permissions.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_web_server_sus_child_spawned.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_memory_swap_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_cupsd_foomatic_rip_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_netcon_via_sudo_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_pkexec_envar_hijack.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_root_certificate_installation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_message_of_the_day_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_disable_apparmor_attempt.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_rc_script_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/impact_potential_linux_ransomware_note_detected.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_overlayfs_local_privesc.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_chkconfig_service_add.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_rc_local_service_already_running.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_linux_backdoor_user_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_chkconfig_service_add.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/impact_potential_linux_ransomware_note_detected.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_hex_payload_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_sunburst_c2_activity_detected.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_docker_socket_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_message_of_the_day_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_security_file_access_via_common_utility.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_esxi_software_via_find.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_writable_docker_socket.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_extract_initramfs_via_cpio.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_uid_change_post_compilation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_authorized_keys_file_deletion.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_private_key_password_searching_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_openssl_passwd_hash_generation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_kill_command_executed.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_web_server_sus_child_spawned.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_uid_change_post_compilation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_potential_bruteforce_malware_infection.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_enlightenment_window_manager.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/command_and_control_common_webservices.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_curl_socks_proxy_detected.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_container_util_misconfiguration.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_container_util_misconfiguration.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_container_util_misconfiguration.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_curl_socks_proxy_detected.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/command_and_control_curl_socks_proxy_detected.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_startup_folder_scripts.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_base64_decoding_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/credential_access_lsass_openprocess_api.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_disable_selinux_attempt.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_chattr_immutable_file.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/defense_evasion_log_files_deleted.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_disable_selinux_attempt.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_tunneling_via_earthworm.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_log_files_deleted.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_chattr_immutable_file.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/collection_posh_compression.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_xdg_autostart_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/collection_posh_compression.toml

rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_disable_selinux_attempt.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/persistence_xdg_autostart_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_downloaded_shortcut_files.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/command_and_control_tunneling_via_earthworm.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_linux_nping_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_downloaded_url_file.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_rc_local_error_via_syslog.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_chattr_immutable_file.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_linux_nping_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_linux_nping_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/initial_access_first_time_public_key_authentication.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/defense_evasion_hidden_shared_object.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_log_files_deleted.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/lateral_movement_at.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/command_and_control_tunneling_via_earthworm.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_scheduled_task_target.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_hidden_shared_object.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_hidden_shared_object.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_xdg_autostart_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_services_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/persistence_suspicious_service_created_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_service_windows_service_winlog.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_suspicious_lsass_access_memdump.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_suspicious_service_created_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/persistence_services_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_lsass_memdump_file_created.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/credential_access_lsass_openprocess_api.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_lsass_memdump_file_created.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/azure/defense_evasion_network_watcher_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/collection_posh_compression.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/defense_evasion_authorized_keys_file_deletion.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_msbuild_making_network_connections.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/_deprecated/persistence_kernel_module_activity.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_mod_wdigest_security_provider.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/credential_access_mod_wdigest_security_provider.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/azure/defense_evasion_event_hub_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_email_outlook_mailbox_via_com.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/defense_evasion_apple_softupdates_modification.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_reg_service_imagepath_mod.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/defense_evasion_file_deletion_via_shred.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/promotions/credential_access_endgame_cred_dumping_detected.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_lsass_handle_via_malseclogon.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/defense_evasion_disable_apparmor_attempt.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_rdp_sharprdp_target.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/collection_posh_compression.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_service_windows_service_winlog.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/persistence_ml_windows_anomalous_service.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_suspicious_lsass_access_memdump.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_service_windows_service_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_posh_generic.toml

rules/promotions/credential_access_endgame_cred_dumping_prevented.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_posh_password_policy.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/promotions/credential_access_endgame_cred_dumping_detected.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_safari_config_change.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/persistence_ml_windows_anomalous_service.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_downloaded_url_file.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_disable_selinux_attempt.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_suspicious_lsass_access_generic.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_lsass_handle_via_malseclogon.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_evasion_rdp_shadowing.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/azure/impact_resource_group_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/collection_posh_compression.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/promotions/credential_access_endgame_cred_dumping_prevented.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/initial_access_execution_via_office_addins.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/initial_access_execution_via_office_addins.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_lsass_loaded_susp_dll.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_lsass_loaded_susp_dll.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/collection_posh_compression.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_suspicious_lsass_access_generic.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/cross-platform/execution_potential_widespread_malware_infection.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/lateral_movement_at.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/lateral_movement_at.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/lateral_movement_at.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/github/persistence_organization_owner_role_granted.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/credential_access_suspicious_lsass_access_generic.toml
rules_building_block/discovery_net_view.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/collection_posh_compression.toml

rules/windows/impact_backup_file_deletion.toml
rules_building_block/discovery_net_view.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
rules_building_block/discovery_net_view.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_chkconfig_service_add.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_amsienable_key_mod.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/discovery_posh_generic.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/command_and_control_sunburst_c2_activity_detected.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_net_view.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/aws/impact_rds_group_deletion.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/gcp/impact_gcp_service_account_deleted.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_net_view.toml

rules/integrations/gcp/impact_gcp_service_account_disabled.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_mimikatz_memssp_default_logs.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/integrations/gcp/impact_gcp_iam_role_deletion.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_potential_hack_tool_executed.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_unusual_dns_service_file_writes.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/gcp/impact_gcp_service_account_deleted.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_github_repo_created.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/impact_rds_group_deletion.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/network/lateral_movement_dns_server_overflow.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/gcp/impact_gcp_service_account_disabled.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/command_and_control_tool_transfer_via_curl.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/linux/discovery_ping_sweep_detected.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/lateral_movement_at.toml

rules/network/command_and_control_download_rar_powershell_from_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/integrations/aws/impact_rds_group_deletion.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/_deprecated/discovery_query_registry_via_reg.toml
rules_building_block/discovery_generic_registry_query.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/gcp/impact_gcp_service_account_disabled.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/gcp/impact_gcp_iam_role_deletion.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/command_and_control_tool_transfer_via_curl.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/gcp/impact_gcp_iam_role_deletion.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/network/command_and_control_download_rar_powershell_from_internet.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/_deprecated/defense_evasion_code_injection_conhost.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/integrations/gcp/impact_gcp_service_account_deleted.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/impact_github_user_blocked_from_organization.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_downloaded_url_file.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/impact_esxi_process_kill.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
rules_building_block/discovery_net_view.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_wsl_filesystem.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/collection_posh_compression.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/collection_posh_compression.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/lateral_movement_at.toml

rules/linux/privilege_escalation_suspicious_passwd_file_write.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_services_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
rules_building_block/discovery_system_network_connections.toml

rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/lateral_movement_at.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/promotions/privilege_escalation_endgame_process_injection_detected.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/execution_potential_hack_tool_executed.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/initial_access_execution_via_office_addins.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/lateral_movement_at.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_suspicious_service_created_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_getconf_execution.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_suspicious_ms_exchange_files.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/lateral_movement_via_wsus_update.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/execution_mofcomp.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/impact_stop_process_service_threshold.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_via_bits_job_notify_command.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_github_repo_created.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_of_domain_groups.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/_deprecated/credential_access_tcpdump_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/github/execution_github_app_deleted.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_getconf_execution.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/collection_posh_compression.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/impact_process_kill_threshold.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/cross-platform/defense_evasion_timestomp_touch.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_reg_service_imagepath_mod.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_mofcomp.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/lateral_movement_at.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/impact_github_member_removed_from_organization.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_imageload_azureadconnectauthsvc.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_getconf_execution.toml

rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/privilege_escalation_suspicious_passwd_file_write.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/collection_posh_compression.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_github_repo_created.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/collection_posh_compression.toml

rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/collection_posh_compression.toml

rules/linux/discovery_ping_sweep_detected.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/privilege_escalation_reg_service_imagepath_mod.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_mofcomp.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_internet_capabilities.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_net_view.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_suspicious_ms_exchange_process.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/impact_github_pat_access_revoked.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_potential_hack_tool_executed.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_net_view.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_hosts_file_access.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/collection_posh_compression.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_ping_sweep_detected.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
rules_building_block/discovery_net_view.toml

rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/lateral_movement_at.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/privilege_escalation_suspicious_passwd_file_write.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_downloaded_shortcut_files.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_posh_generic.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/discovery_net_view.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_linux_backdoor_user_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/discovery_net_view.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_linux_group_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_udev_rule_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_linux_group_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/azure/credential_access_key_vault_modified.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/command_and_control_teamviewer_remote_file_copy.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_net_view.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/collection_mailbox_export_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_win_network_connections.toml

rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_rc_script_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/discovery_file_dir_discovery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/discovery_ml_linux_system_user_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/ml/credential_access_ml_suspicious_login_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/credential_access_ml_suspicious_login_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_win_network_connections.toml

rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/ml/ml_spike_in_traffic_to_a_country.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/lateral_movement_at.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/ml_spike_in_traffic_to_a_country.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_win_network_connections.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_wsl_registry_modification.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/cross-platform/credential_access_forced_authentication_pipes.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/ml_rare_destination_country.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_linux_user_account_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/persistence_ml_windows_anomalous_service.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/ml/ml_packetbeat_rare_server_domain.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/credential_access_regback_sam_security_hives.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/initial_access_xsl_script_execution_via_com.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/ml/ml_low_count_events_for_a_host_name.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/ml_spike_in_traffic_to_a_country.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/ml/ml_high_count_events_for_a_host_name.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/defense_evasion_code_injection_conhost.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_linux_anomalous_network_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_getconf_execution.toml

rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/persistence_iam_group_creation.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
rules_building_block/discovery_net_view.toml

rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/ml_rare_destination_country.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
rules_building_block/discovery_net_view.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/ml_linux_anomalous_network_port_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_message_of_the_day_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_message_of_the_day_execution.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_high_count_events_for_a_host_name.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/discovery_posh_password_policy.toml

rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/ml_high_count_network_denies.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/ml_high_count_network_denies.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_rare_destination_country.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/discovery_ml_linux_system_user_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_chkconfig_service_add.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/ml/persistence_ml_windows_anomalous_service.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/discovery_net_view.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_security_software_wmic.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/ml/ml_linux_anomalous_network_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/defense_evasion_sqs_purge_queue.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/ml_linux_anomalous_network_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/ml/ml_low_count_events_for_a_host_name.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/ml/ml_packetbeat_rare_server_domain.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/ml_high_count_network_events.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_win_network_connections.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/ml/ml_low_count_events_for_a_host_name.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/collection_posh_compression.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/persistence_startup_folder_scripts.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_win_network_connections.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_regback_sam_security_hives.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_rc_script_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/ml_high_count_events_for_a_host_name.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/collection_mailbox_export_winlog.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/ml/ml_packetbeat_rare_server_domain.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/github/persistence_organization_owner_role_granted.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_windows_anomalous_network_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/ml_windows_anomalous_network_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_net_view.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/ml/persistence_ml_rare_process_by_host_windows.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_security_software_wmic.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/persistence_ml_windows_anomalous_service.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_high_count_network_events.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_hide_encoded_executable_registry.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_net_view.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_net_view.toml

rules/_deprecated/persistence_kernel_module_activity.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/ml/ml_high_count_network_denies.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/discovery_ml_linux_system_user_discovery.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/ml/ml_windows_anomalous_network_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/ml/ml_linux_anomalous_network_port_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_win_network_connections.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_win_network_connections.toml

rules/ml/credential_access_ml_suspicious_login_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/ml_linux_anomalous_network_port_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/ml/ml_high_count_network_events.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/macos/persistence_periodic_tasks_file_mdofiy.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/credential_access_credentials_keychains.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_sunburst_c2_activity_detected.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_pluggable_authentication_module_source_download.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/persistence_emond_rules_file_creation.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/impact_cloudtrail_logging_updated.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/collection_posh_compression.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/persistence_finder_sync_plugin_pluginkit.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/cross-platform/defense_evasion_timestomp_touch.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/persistence_finder_sync_plugin_pluginkit.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_reg_service_imagepath_mod.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/credential_access_potential_macos_ssh_bruteforce.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/persistence_emond_rules_process_execution.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_net_view.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/persistence_crontab_creation.toml
rules_building_block/lateral_movement_at.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_gpo_schtask_service_creation.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/execution_downloaded_shortcut_files.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_net_view.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/lateral_movement_at.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/discovery_net_view.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_rdp_sharprdp_target.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/lateral_movement_at.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/defense_evasion_install_root_certificate.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/macos/persistence_directory_services_plugins_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/privilege_escalation_root_crontab_filemod.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/execution_initial_access_suspicious_browser_childproc.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/credential_access_potential_macos_ssh_bruteforce.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/aws/exfiltration_rds_snapshot_export.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/macos/persistence_screensaver_plist_file_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/promotions/execution_endgame_exploit_detected.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_lsa_auth_package.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_mofcomp.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/discovery_posh_generic.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_lsass_openprocess_api.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/lateral_movement_at.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/persistence_redshift_instance_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_log_files_deleted.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/persistence_iam_group_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/aws/persistence_rds_instance_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/macos/credential_access_dumping_keychain_security.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/execution_initial_access_suspicious_browser_childproc.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/lateral_movement_at.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/impact_ransomware_file_rename_smb.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/persistence_credential_access_authorization_plugin_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_microsoft_defender_tampering.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/collection_posh_compression.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/execution_initial_access_foxmail_exploit.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_amsienable_key_mod.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/persistence_creation_change_launch_agents_file.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/macos/defense_evasion_apple_softupdates_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/promotions/execution_endgame_exploit_prevented.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/discovery_posh_password_policy.toml

rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_dynamic_linker_backup.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_pluggable_authentication_module_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_suspicious_calendar_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_crontab_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/macos/persistence_via_atom_init_file_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/persistence_xdg_autostart_netcon.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/defense_evasion_log_files_deleted.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/macos/persistence_creation_change_launch_agents_file.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/macos/credential_access_systemkey_dumping.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/network/command_and_control_cobalt_strike_beacon.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml
rules_building_block/lateral_movement_at.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/macos/persistence_via_atom_init_file_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/_deprecated/command_and_control_smtp_to_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_security_software_wmic.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/collection_posh_compression.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_mofcomp.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_startup_folder_scripts.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/command_and_control_smtp_to_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/persistence_rds_instance_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/credential_access_mimikatz_memssp_default_logs.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_sip_provider_mod.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/defense_evasion_rds_instance_restored.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_wsl_registry_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/cross-platform/defense_evasion_timestomp_touch.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/impact_ransomware_note_file_over_smb.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_lsa_auth_package.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/impact_backup_file_deletion.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_security_software_wmic.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/credential_access_gdb_process_hooking.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/persistence_credential_access_authorization_plugin_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_of_domain_groups.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_crontab_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/impact_rds_group_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_net_view.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/impact_cloudtrail_logging_updated.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/macos/persistence_emond_rules_process_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/defense_evasion_authorized_keys_file_deletion.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_directory_services_plugins_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/collection_posh_compression.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/macos/defense_evasion_install_root_certificate.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/persistence_docker_shortcuts_plist_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/privilege_escalation_kworker_uid_elevation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/persistence_rds_instance_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/command_and_control_tunneling_via_earthworm.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/macos/credential_access_promt_for_pwd_via_osascript.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_emond_rules_process_execution.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/privilege_escalation_pkexec_envar_hijack.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/persistence_screensaver_plist_file_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/command_and_control_common_webservices.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/impact_ransomware_file_rename_smb.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_periodic_tasks_file_mdofiy.toml
rules_building_block/lateral_movement_at.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_hosts_file_access.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_timestomp_sysmon.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/lateral_movement_rdp_sharprdp_target.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_timestomp_sysmon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_amsienable_key_mod.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/defense_evasion_apple_softupdates_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/persistence_rds_group_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/lateral_movement_scheduled_task_target.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/command_and_control_outlook_home_page.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/execution_initial_access_wps_dll_exploit.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/credential_access_mimikatz_memssp_default_logs.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/command_and_control_remote_file_copy_powershell.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/aws/persistence_redshift_instance_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_docker_shortcuts_plist_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_wsl_filesystem.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_sysmon_wmi_event_subscription.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/command_and_control_outlook_home_page.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/macos/defense_evasion_safari_config_change.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_scheduled_task_target.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/discovery_net_view.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/credential_access_mitm_localhost_webproxy.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_powershell_susp_args_via_winscript.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/lateral_movement_scheduled_task_target.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_polkit_policy_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_rogue_windir_environment_var.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_unusual_dir_ads.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_emond_rules_process_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_lsa_auth_package.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_sip_provider_mod.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/initial_access_xsl_script_execution_via_com.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/impact_esxi_process_kill.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/persistence_creation_change_launch_agents_file.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/impact_ransomware_note_file_over_smb.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/defense_evasion_install_root_certificate.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_via_atom_init_file_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/collection_email_outlook_mailbox_via_com.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/persistence_screensaver_plist_file_modification.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/cross-platform/defense_evasion_timestomp_touch.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/privilege_escalation_kworker_uid_elevation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/macos/defense_evasion_modify_environment_launchctl.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/_deprecated/discovery_whoami_commmand.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_net_view.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_acl_modification_via_setfacl.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/aws/persistence_redshift_instance_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/privilege_escalation_root_crontab_filemod.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_lsass_handle_via_malseclogon.toml
rules_building_block/discovery_net_view.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_mod_wdigest_security_provider.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/github/persistence_organization_owner_role_granted.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_direct_outbound_smb_connection.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/defense_evasion_apple_softupdates_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_via_net_com_assemblies.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_command_shell_started_by_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_common_webservices.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_unusual_ads_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_mimikatz_powershell_module.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/execution_posh_psreflect.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/impact_stop_process_service_threshold.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/execution_ml_windows_anomalous_script.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/collection_posh_compression.toml

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_suspicious_lsass_access_memdump.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/defense_evasion_safari_config_change.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_unusual_dir_ads.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_suspicious_lsass_access_generic.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_evasion_rdp_shadowing.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_pluggable_authentication_module_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_named_pipe_impersonation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/credential_access_systemkey_dumping.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_polkit_policy_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/_deprecated/execution_via_net_com_assemblies.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/persistence_suspicious_calendar_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/command_and_control_teamviewer_remote_file_copy.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_wsl_registry_modification.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/credential_access_dumping_keychain_security.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/macos/credential_access_mitm_localhost_webproxy.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/azure/collection_update_event_hub_auth_rule.toml
rules_building_block/collection_posh_compression.toml

rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_linux_user_account_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/collection_posh_compression.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/macos/persistence_screensaver_plist_file_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/promotions/execution_endgame_exploit_prevented.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_security_software_wmic.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/persistence_directory_services_plugins_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_rdp_enabled_registry.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_msbuild_making_network_connections.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_microsoft_defender_tampering.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_lsass_memdump_file_created.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_pluggable_authentication_module_source_download.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/execution_linux_process_started_in_temp_directory.toml
rules_building_block/execution_linux_segfault.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_port_forwarding_added_registry.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_powershell_remoting_target.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/privilege_escalation_pkexec_envar_hijack.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_finder_sync_plugin_pluginkit.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_message_of_the_day_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/collection_posh_compression.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/credential_access_promt_for_pwd_via_osascript.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/persistence_ec2_network_acl_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_sip_provider_mod.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/execution_initial_access_suspicious_browser_childproc.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/persistence_credential_access_authorization_plugin_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/execution_windows_powershell_susp_args.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_linux_user_account_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/macos/persistence_creation_change_launch_agents_file.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_initial_access_foxmail_exploit.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/persistence_docker_shortcuts_plist_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_internet_capabilities.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_unusual_dir_ads.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/discovery_net_view.toml

rules/linux/command_and_control_linux_chisel_client_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/macos/execution_initial_access_suspicious_browser_childproc.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/collection_posh_compression.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/persistence_route_table_created.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/credential_access_suspicious_lsass_access_memdump.toml
rules_building_block/discovery_net_view.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_net_view.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_mod_wdigest_security_provider.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_polkit_policy_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/azure/defense_evasion_suppression_rule_created.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/persistence_emond_rules_file_creation.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_msbuild_making_network_connections.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/execution_initial_access_suspicious_browser_childproc.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_user_or_group_creation_or_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_hosts_file_access.toml

rules/linux/command_and_control_linux_ssh_x11_forwarding.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/aws/impact_rds_group_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/privilege_escalation_root_crontab_filemod.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/persistence_iam_group_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/defense_evasion_chattr_immutable_file.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/macos/persistence_credential_access_authorization_plugin_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_net_view.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_posh_hacktool_authors.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_mimikatz_memssp_default_logs.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_lsass_loaded_susp_dll.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/command_and_control_linux_proxychains_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_mimikatz_memssp_default_logs.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/persistence_xdg_autostart_netcon.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/persistence_rds_instance_made_public.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/command_and_control_tool_transfer_via_curl.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_posh_relay_tools.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/collection_outlook_email_archive.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/aws/exfiltration_rds_snapshot_export.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_file_deletion_via_shred.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/defense_evasion_chattr_immutable_file.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_message_of_the_day_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/network/discovery_potential_network_sweep_detected.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_lsass_memdump_file_created.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/persistence_pluggable_authentication_module_source_download.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/persistence_emond_rules_file_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_microsoft_defender_tampering.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/discovery_net_view.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/credential_access_promt_for_pwd_via_osascript.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/credential_access_dumping_keychain_security.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/macos/credential_access_potential_macos_ssh_bruteforce.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_local_scheduled_job_creation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/discovery_net_view.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/persistence_login_logout_hooks_defaults.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/_deprecated/execution_mysql_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/macos/credential_access_credentials_keychains.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/macos/persistence_login_logout_hooks_defaults.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/persistence_emond_rules_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_wsl_filesystem.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/collection_posh_compression.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/macos/defense_evasion_modify_environment_launchctl.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_pluggable_authentication_module_source_download.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/aws/persistence_ec2_network_acl_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_amsienable_key_mod.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/privilege_escalation_sudo_hijacking.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/collection_cloudtrail_logging_created.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/impact_ransomware_file_rename_smb.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/collection_email_outlook_mailbox_via_com.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/_deprecated/execution_crash_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
rules_building_block/lateral_movement_at.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/macos/defense_evasion_modify_environment_launchctl.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/command_and_control_common_webservices.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/command_and_control_iexplore_via_com.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/persistence_linux_backdoor_user_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_browser_extension_install.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/_deprecated/execution_via_net_com_assemblies.toml
rules_building_block/execution_linux_segfault.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/execution_mofcomp.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/persistence_shell_profile_modification.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/execution_file_execution_followed_by_deletion.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_scheduled_task_target.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/discovery_posh_generic.toml

rules/network/command_and_control_halfbaked_beacon.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/execution_downloaded_url_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/privilege_escalation_kworker_uid_elevation.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/lateral_movement_unusual_remote_file_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/collection_posh_compression.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_account_creation_hide_at_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_udev_rule_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/command_and_control_iexplore_via_com.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/azure/collection_update_event_hub_auth_rule.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/collection_posh_compression.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_pluggable_authentication_module_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/collection_posh_compression.toml

rules/windows/initial_access_xsl_script_execution_via_com.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_suspicious_service_created_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/network/command_and_control_port_26_activity.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
rules_building_block/discovery_posh_generic.toml

rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_wsl_filesystem.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_posh_token_impersonation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_gpo_schtask_service_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/execution_initial_access_wps_dll_exploit.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/persistence_suspicious_calendar_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml
rules_building_block/lateral_movement_at.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/persistence_periodic_tasks_file_mdofiy.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/macos/persistence_creation_change_launch_agents_file.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
rules_building_block/lateral_movement_at.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/persistence_periodic_tasks_file_mdofiy.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/credential_access_gdb_process_hooking.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/lateral_movement_at.toml

rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_regback_sam_security_hives.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/defense_evasion_safari_config_change.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_suspicious_mining_process_creation_events.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/defense_evasion_modify_environment_launchctl.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/credential_access_systemkey_dumping.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_net_view.toml

rules/macos/credential_access_credentials_keychains.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/ml/initial_access_ml_windows_anomalous_user_name.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_services_registry.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/execution_gcc_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_amsienable_key_mod.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/persistence_login_logout_hooks_defaults.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/impact_ransomware_note_file_over_smb.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/lateral_movement_executable_tool_transfer_smb.toml
rules_building_block/lateral_movement_at.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/persistence_adobe_hijack_persistence.toml
rules_building_block/discovery_net_view.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/_deprecated/execution_find_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_crontab_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_env_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_initial_access_via_msc_file.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_posh_generic.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_wsl_registry_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_linux_group_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_remote_file_copy_scripts.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/macos/privilege_escalation_local_user_added_to_admin.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/lateral_movement_evasion_rdp_shadowing.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_masquerading_werfault.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_generic_account_groups.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/network/command_and_control_port_26_activity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/execution_python_tty_shell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/aws/persistence_route_table_created.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/macos/privilege_escalation_root_crontab_filemod.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/privilege_escalation_user_added_to_admin_group.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/initial_access_script_executing_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/execution_vi_binary.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/macos/execution_installer_package_spawned_network_event.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/network/command_and_control_fin7_c2_behavior.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/lateral_movement_at.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_windows_cmd_shell_susp_args.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_app_compat_shim.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_potentially_overly_permissive_container_creation.toml
rules_building_block/discovery_posh_generic.toml

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/collection_posh_compression.toml

rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/collection_cloudtrail_logging_created.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/linux/execution_nc_listener_via_rlwrap.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/credential_access_lsass_handle_via_malseclogon.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/aws/persistence_rds_group_creation.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/network/discovery_potential_port_scan_detected.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/execution_shell_evasion_linux_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/privilege_escalation_kworker_uid_elevation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/aws/persistence_route_table_created.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/azure/discovery_blob_container_access_mod.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_expect_binary.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/credential_access_tcpdump_activity.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/collection_posh_compression.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/execution_unusual_path_invocation_from_command_line.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_local_scheduled_task_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/command_and_control_linux_chisel_server_activity.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/discovery_net_view.toml

rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/promotions/execution_endgame_exploit_detected.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_workfolders_control_execution.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/execution_c89_c99_binary.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/_deprecated/execution_apt_binary.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_interpreter_tty_upgrade.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/collection_email_powershell_exchange_mailbox.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/discovery_posh_password_policy.toml

rules/_deprecated/execution_busybox_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/linux/persistence_shell_configuration_modification.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/linux/execution_remote_code_execution_via_postgresql.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/ml/initial_access_ml_auth_rare_user_logon.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/discovery_posh_password_policy.toml

rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/execution_tc_bpf_filter.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_local_scheduled_task_creation.toml
rules_building_block/lateral_movement_at.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/_deprecated/execution_awk_binary_shell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/command_and_control_sunburst_c2_activity_detected.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/persistence_enable_root_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_insmod_kernel_module_load.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/collection_posh_compression.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/_deprecated/execution_flock_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_mod_wdigest_security_provider.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
rules_building_block/execution_aws_lambda_function_updated.toml

rules/windows/defense_evasion_network_connection_from_windows_binary.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/_deprecated/execution_interactive_exec_to_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_net_view.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/discovery_net_view.toml

rules/linux/defense_evasion_acl_modification_via_setfacl.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_credential_access_authorization_plugin_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/network/discovery_potential_syn_port_scan_detected.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_kde_autostart_modification.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/_deprecated/execution_ssh_binary.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/macos/credential_access_mitm_localhost_webproxy.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/collection_posh_compression.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/github/persistence_organization_owner_role_granted.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/_deprecated/execution_cpulimit_binary.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/lateral_movement_at.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/credential_access_suspicious_lsass_access_generic.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/lateral_movement_ssh_it_worm_download.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
rules_building_block/lateral_movement_at.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
rules_building_block/discovery_net_view.toml

rules/macos/persistence_finder_sync_plugin_pluginkit.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/cross-platform/defense_evasion_timestomp_touch.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/persistence_evasion_hidden_local_account_creation.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/_deprecated/execution_linux_process_started_in_temp_directory.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/discovery_net_view.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/collection_outlook_email_archive.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/lateral_movement_at.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/collection_posh_compression.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_generic_registry_query.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_system_time_discovery.toml

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/defense_evasion_ld_so_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_hide_encoded_executable_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_generic_account_groups.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/promotions/execution_endgame_exploit_prevented.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_downloaded_url_file.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/discovery_net_view.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/collection_posh_compression.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/command_and_control_tunnel_vscode.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_net_view.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_amsi_bypass_powershell.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_generic_registry_query.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_user_credential_modification_via_echo.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_of_domain_groups.toml

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/credential_access_gdb_init_process_hooking.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_local_scheduled_task_scripting.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
rules_building_block/discovery_system_time_discovery.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/lateral_movement_at.toml

rules/macos/persistence_loginwindow_plist_modification.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_net_view.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_dpkg_unusual_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/persistence_etc_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/aws/defense_evasion_sts_get_federation_token.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/collection_posh_clipboard_capture.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_polkit_policy_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/macos/persistence_suspicious_calendar_modification.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/lateral_movement_at.toml

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/macos/lateral_movement_remote_ssh_login_enabled.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_via_rogue_named_pipe.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/collection_outlook_email_archive.toml

rules/macos/persistence_finder_sync_plugin_pluginkit.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_posh_suspicious_api_functions.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/execution_linux_segfault.toml

rules/integrations/aws/persistence_rds_instance_made_public.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_of_domain_groups.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_system_time_discovery.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_appcertdlls_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_shell_via_child_tcp_utility_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/collection_posh_compression.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/lateral_movement_telnet_network_activity_internal.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/macos/discovery_users_domain_built_in_commands.toml
rules_building_block/discovery_of_domain_groups.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/initial_access_first_time_public_key_authentication.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/persistence_shell_activity_by_web_server.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_suspicious_com_hijack_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_lsass_handle_via_malseclogon.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/integrations/azure/initial_access_external_guest_user_invite.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/impact_stop_process_service_threshold.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_ssh_key_generation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/discovery_net_view.toml

rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_service_dll_unsigned.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_posh_portable_executable.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_system_service_discovery.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/threat_intel/threat_intel_indicator_match_address.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/credential_access_moving_registry_hive_via_smb.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_parent_process_pid_spoofing.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/promotions/execution_endgame_exploit_detected.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_lsass_memdump_handle_access.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/credential_access_credential_dumping.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/linux/defense_evasion_prctl_process_name_tampering.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/collection_mailbox_export_winlog.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_lsass_loaded_susp_dll.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/defense_evasion_file_mod_writable_dir.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_imageload_azureadconnectauthsvc.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_posh_assembly_load.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/macos/persistence_docker_shortcuts_plist_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/credential_access_credential_dumping_msbuild.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/threat_intel/threat_intel_indicator_match_registry.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_system_time_discovery.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/discovery_security_file_access_via_common_utility.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/credential_access_wireless_creds_dumping.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/promotions/execution_endgame_exploit_detected.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/_deprecated/initial_access_login_location.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/persistence_pluggable_authentication_module_source_download.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/discovery_esxi_software_via_grep.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/persistence_web_server_sus_destination_port.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/lateral_movement_cmd_service.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/lateral_movement_at.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_setuid_setgid_capability_set.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_untrusted_driver_loaded.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/impact_memory_swap_modification.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/collection_mailbox_export_winlog.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/persistence_manual_dracut_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_security_software_wmic.toml

rules/_deprecated/initial_access_login_sessions.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_bpf_probe_write_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_extract_initramfs_via_cpio.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_net_view.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/collection_posh_compression.toml

rules/linux/defense_evasion_rename_esxi_index_file.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/collection_posh_compression.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_script_via_html_app.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/execution_suspicious_psexesvc.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/lateral_movement_at.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_system_service_discovery.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_via_update_orchestrator_service_hijack.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_win_network_connections.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/linux/persistence_grub_configuration_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/discovery_system_network_connections.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/lateral_movement_telnet_network_activity_external.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
rules_building_block/discovery_win_network_connections.toml

rules/linux/persistence_linux_user_added_to_privileged_group.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_systemd_generator_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_kthreadd_masquerading.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/discovery_posh_password_policy.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/lateral_movement_via_wsus_update.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_win_network_connections.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/collection_outlook_email_archive.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_appinitdlls_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_startup_folder_scripts.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/discovery_esxi_software_via_find.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/impact_ransomware_file_rename_smb.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_potential_hack_tool_executed.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/aws/initial_access_console_login_root.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_shell_via_java_revshell_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/discovery_virtual_machine_fingerprinting.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_suspicious_wmi_script.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/persistence_services_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_lsass_loaded_susp_dll.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_scheduled_task_powershell_source.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_net_view.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_via_lsa_security_support_provider_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_rename_esxi_files.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_time_provider_mod.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/persistence_network_manager_dispatcher_persistence.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/collection_mailbox_export_winlog.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/collection_posh_compression.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_generic_account_groups.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_disable_uac_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_of_domain_groups.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/lateral_movement_at.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/discovery_generic_account_groups.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_polkit_policy_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_ms_office_written_file.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/azure/persistence_azure_automation_account_created.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_getconf_execution.toml

rules/linux/persistence_git_hook_process_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_security_software_wmic.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/persistence_msoffice_startup_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/cross-platform/discovery_security_software_grep.toml
rules_building_block/discovery_win_network_connections.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_services_registry.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/persistence_rds_instance_made_public.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/credential_access_gdb_process_hooking.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/_deprecated/initial_access_login_failures.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_network_event_post_compilation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_system_service_discovery.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_linux_shell_activity_via_web_server.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_linux_group_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_incoming_wmi.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/aws/initial_access_password_recovery.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_expired_driver_loaded.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/credential_access_kirbi_file.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_imageload_azureadconnectauthsvc.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/persistence_suspicious_file_opened_through_editor.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_lsa_auth_package.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/persistence_ec2_network_acl_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/macos/persistence_directory_services_plugins_modification.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/execution_shell_via_meterpreter_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_pluggable_authentication_module_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/lateral_movement_at.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_unusual_ads_file_creation.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/collection_email_outlook_mailbox_via_com.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/persistence_github_new_user_added_to_organization.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/privilege_escalation_trap_execution.toml

rules/windows/credential_access_suspicious_lsass_access_memdump.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/lateral_movement_at.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_generic_registry_query.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/lateral_movement_mounting_smb_share.toml
rules_building_block/lateral_movement_at.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_generic_registry_query.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/collection_posh_webcam_video_capture.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/command_and_control_screenconnect_childproc.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/promotions/credential_access_endgame_cred_dumping_detected.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/persistence_linux_user_account_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
rules_building_block/collection_posh_compression.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_internet_capabilities.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/collection_outlook_email_archive.toml

rules/_deprecated/initial_access_login_time.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_generic_registry_query.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_simple_web_server_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_system_time_discovery.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_user_or_group_creation_or_modification.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_system_shells_via_services.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/defense_evasion_kernel_module_removal.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_net_view.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_system_service_discovery.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_suspicious_zoom_child_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_from_unusual_directory.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/command_and_control_teamviewer_remote_file_copy.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_suspicious_scrobj_load.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/discovery_net_view.toml

rules/linux/privilege_escalation_shadow_file_read.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_via_compiled_html_file.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/command_and_control_encrypted_channel_freesslcert.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_shared_object_creation.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_process_capabilities.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/lateral_movement_remote_services.toml
rules_building_block/discovery_net_view.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_browser_extension_install.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_generic_registry_query.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_generic_registry_query.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/aws/persistence_rds_instance_made_public.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_python_webserver_spawned.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/privilege_escalation_driver_newterm_imphash.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/persistence_grub_makeconfig.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_masquerading_renamed_autoit.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/lateral_movement_at.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/discovery_net_view.toml

rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/collection_posh_compression.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/lateral_movement_at.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_suspicious_service_created_registry.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_rdp_sharprdp_target.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/lateral_movement_at.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_netsh_helper_dll.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_hide_encoded_executable_registry.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_systemd_service_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/linux/execution_shell_via_background_process.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/discovery_hosts_file_access.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/cross-platform/impact_hosts_file_modified.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_evasion_hidden_local_account_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_from_unusual_path_cmdline.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/discovery_posh_password_policy.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_suspicious_comsvcs_imageload.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_via_hidden_run_key_valuename.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/discovery_posh_generic.toml

rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_dracut_module_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_evasion_registry_ifeo_injection.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/macos/lateral_movement_vpn_connection_attempt.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_downloaded_shortcut_files.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/persistence_registry_uncommon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/persistence_app_compat_shim.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_priv_escalation_via_accessibility_features.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_posh_invoke_ninjacopy.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_lkm_configuration_file_creation.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/lateral_movement_at.toml

rules/linux/discovery_yum_dnf_plugin_detection.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_system_service_discovery.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/collection_posh_compression.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_security_software_wmic.toml

rules/ml/discovery_ml_linux_system_user_discovery.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/execution_command_shell_via_rundll32.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_security_software_wmic.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/impact_ransomware_note_file_over_smb.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_git_hook_netcon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/discovery_polkit_version_discovery.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/linux/discovery_pam_version_discovery.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/defense_evasion_ssl_certificate_deletion.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/discovery_net_view.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/lateral_movement_at.toml

rules/windows/execution_psexec_lateral_movement_command.toml
rules_building_block/lateral_movement_at.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_security_software_wmic.toml

rules/threat_intel/threat_intel_indicator_match_url.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/collection_email_outlook_mailbox_via_com.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_getconf_execution.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/integrations/aws/impact_s3_object_versioning_disabled.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_veeam_backup_dll_imageload.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/execution_suspicious_powershell_imgload.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_win_network_connections.toml

rules/linux/persistence_tainted_kernel_module_load.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/defense_evasion_unusual_preload_env_vars.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/defense_evasion_hex_payload_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_dcom_hta.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/linux/persistence_simple_web_server_connection_accepted.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/linux/persistence_at_job_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/lateral_movement_at.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/threat_intel/threat_intel_indicator_match_hash.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/credential_access_collection_sensitive_files.toml
rules_building_block/collection_posh_compression.toml

rules/linux/persistence_systemd_scheduled_timer_created.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/aws/impact_rds_snapshot_deleted.toml
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/macos/credential_access_dumping_hashes_bi_cmds.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/persistence_simple_web_server_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_shell_openssl_client_or_server.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_powershell_profiles.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_system_service_discovery.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_posh_compressed.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/_deprecated/defense_evasion_potential_processherpaderping.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/persistence_user_or_group_creation_or_modification.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_active_directory_webservice.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/discovery_posh_generic.toml

rules/_deprecated/execution_suspicious_jar_child_process.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/persistence_init_d_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/discovery_net_view.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/collection_posh_compression.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_net_view.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_system_binary_file_permission_change.toml
rules_building_block/discovery_posh_generic.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/execution_github_repo_interaction_from_new_ip.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/collection_outlook_email_archive.toml

rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/collection_winrar_encryption.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_via_mmc_console_file_unusual_path.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_remote_sam_secretsdump.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_sccm_scnotification_dll.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/defense_evasion_file_creation_mult_extension.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_mshta_beacon.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_pth_file_creation.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/persistence_web_server_sus_file_creation.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_posh_veeam_sql.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/execution_windows_script_from_internet.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_grub_configuration_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/discovery_system_time_discovery.toml

rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/lateral_movement_at.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/persistence_systemd_service_started.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/discovery_generic_registry_query.toml

rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_of_domain_groups.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_linux_group_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/credential_access_kirbi_file.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_werfault_reflectdebugger.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/aws/impact_rds_snapshot_deleted.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_process_backgrounded_by_unusual_parent.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/collection_posh_audio_capture.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/initial_access_execution_remote_via_msiexec.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/lateral_movement_at.toml

rules/ml/persistence_ml_windows_anomalous_path_activity.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_suspicious_certutil_commands.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/fim/persistence_suspicious_file_modifications.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_clearing_windows_console_history.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/lateral_movement_execution_from_tsclient_mup.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/discovery_system_network_connections.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_masquerading_business_apps_installer.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/execution_shell_via_suspicious_binary.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/windows/execution_pdf_written_file.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/credential_access_ssh_backdoor_log.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/macos/persistence_folder_action_scripts_runtime.toml
rules_building_block/collection_posh_compression.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_kworker_file_creation.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/impact_high_freq_file_renames_by_kernel.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/defense_evasion_root_certificate_installation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
rules_building_block/lateral_movement_at.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_generic_localdumps.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_krbrelayup_service_creation.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml

rules/windows/persistence_local_scheduled_task_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/execution_command_shell_started_by_svchost.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_posh_process_injection.toml
rules_building_block/discovery_net_view.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_via_rogue_named_pipe.toml
rules_building_block/discovery_net_view.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_unusual_pam_grantor.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/collection_outlook_email_archive.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/integrations/aws/impact_iam_group_deletion.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_powershell_clear_logs_script.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/persistence_kernel_object_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_rundll32_no_arguments.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/linux/discovery_kernel_module_enumeration.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/discovery_linux_hping_activity.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_create_process_as_different_user.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_process_capability_set_via_setcap.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_posh_kerb_ticket_dump.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/collection_archive_data_zip_imageload.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/aws/persistence_rds_cluster_creation.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/discovery_proc_maps_read.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/collection_posh_compression.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_linux_user_account_creation.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/credential_access_wbadmin_ntds.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/persistence_git_hook_file_creation.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/collection_posh_compression.toml

rules/promotions/execution_endgame_exploit_prevented.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_kernel_driver_load_by_non_root.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_hide_encoded_executable_registry.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/privilege_escalation_lsa_auth_package.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/linux/persistence_apt_package_manager_file_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/collection_outlook_email_archive.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/macos/execution_script_via_automator_workflows.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/linux/discovery_unusual_user_enumeration_via_id.toml
rules_building_block/discovery_of_domain_groups.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/promotions/credential_access_endgame_cred_dumping_prevented.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/defense_evasion_posh_obfuscation.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/execution_unusual_pkexec_execution.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/credential_access_posh_minidump.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/discovery_kernel_seeking.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/linux/privilege_escalation_netcon_via_sudo_binary.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_kirbi_file.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
rules_building_block/discovery_net_view.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/macos/credential_access_kerberosdump_kcc.toml
rules_building_block/credential_access_mdmp_file_creation.toml

rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_proxy_execution_via_msdt.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/credential_access_cmdline_dump_tool.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/discovery_kernel_unpacking.toml
rules_building_block/discovery_linux_system_owner_user_discovery.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/lateral_movement_at.toml

rules/macos/persistence_directory_services_plugins_modification.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/lateral_movement_evasion_rdp_shadowing.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/discovery_private_key_password_searching_activity.toml
rules_building_block/discovery_signal_unusual_user_host.toml

rules/windows/impact_modification_of_boot_config.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/credential_access_persistence_network_logon_provider_modification.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/cross-platform/execution_revershell_via_shell_cmd.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/network/command_and_control_accepted_default_telnet_port_connection.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/command_and_control_ip_forwarding_activity.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/defense_evasion_msxsl_network.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_webshell_detection.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_installutil_beacon.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/discovery_security_software_wmic.toml

rules/linux/defense_evasion_directory_creation_in_bin.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/credential_access_proc_credential_dumping.toml
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/privilege_escalation_service_control_spawned_script_int.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/lateral_movement_remote_service_installed_winlog.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/linux/execution_suspicious_executable_running_system_commands.toml
rules_building_block/execution_github_new_event_action_for_pat.toml

rules/linux/execution_potential_hack_tool_executed.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/persistence_udev_rule_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/execution_abnormal_process_id_file_created.toml
rules_building_block/execution_github_new_repo_interaction_for_pat.toml

rules/linux/discovery_dynamic_linker_via_od.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/lateral_movement_at.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_masquerading_trusted_directory.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/persistence_cron_job_creation.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_group_policy_iniscript.toml
rules_building_block/collection_outlook_email_archive.toml

rules/integrations/azure/execution_command_virtual_machine.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_spn_attribute_modified.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml

rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_defender_disabled_via_registry.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/linux/defense_evasion_interactive_shell_from_system_user.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/persistence_git_hook_execution.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/credential_access_dollar_account_relay.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/collection_posh_compression.toml

rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/execution_linux_segfault.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/initial_access_scripts_process_started_via_wmi.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/defense_evasion_execution_windefend_unusual_path.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_clearing_windows_security_logs.toml
rules_building_block/defense_evasion_service_disabled_registry.toml

rules/linux/persistence_boot_file_copy.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/lateral_movement_unusual_dns_service_children.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_run_key_and_startup_broad.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/credential_access_mdmp_file_unusual_extension.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/privilege_escalation_group_policy_privileged_groups.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/credential_access_posh_request_ticket.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_ssh_netcon.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/ml/discovery_ml_linux_system_process_discovery.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/defense_evasion_right_to_left_override.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/discovery_high_number_ad_properties.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/credential_access_dump_registry_hives.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/linux/discovery_suspicious_which_command_execution.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_credroaming_ldap.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/linux/execution_shell_via_udp_cli_utility_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/persistence_systemd_shell_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_exploit_cve_202238028.toml
rules_building_block/defense_evasion_masquerading_vlc_dll.toml

rules/windows/defense_evasion_sdelete_like_filename_rename.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/privilege_escalation_sudo_hijacking.toml
rules_building_block/defense_evasion_dll_hijack.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/execution_posh_hacktool_functions.toml
rules_building_block/discovery_net_view.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_unsigned_bits_client.toml

rules/windows/privilege_escalation_installertakeover.toml
rules_building_block/defense_evasion_outlook_suspicious_child.toml

rules/windows/initial_access_rdp_file_mail_attachment.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/command_and_control_dns_tunneling_nslookup.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_masquerading_communication_apps.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/persistence_systemd_netcon.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/persistence_apt_package_manager_execution.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_user_account_creation.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/persistence_credential_access_modify_ssh_binaries.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
rules_building_block/defense_evasion_generic_deletion.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
rules_building_block/discovery_net_view.toml

rules/linux/persistence_shadow_file_modification.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/windows/lateral_movement_remote_task_creation_winlog.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/impact_stop_process_service_threshold.toml
rules_building_block/discovery_system_time_discovery.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/linux/initial_access_first_time_public_key_authentication.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_adidns_wildcard.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/_deprecated/execution_via_net_com_assemblies.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/persistence_msi_installer_task_startup.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
rules_building_block/discovery_posh_password_policy.toml

rules/windows/discovery_command_system_account.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/execution_linux_segfault.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
rules_building_block/discovery_linux_sysctl_enumeration.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_windows_filtering_platform.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/ml/discovery_ml_linux_system_information_discovery.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/persistence_remote_password_reset.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_wsl_bash_exec.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/collection_outlook_email_archive.toml

rules/macos/execution_shell_execution_via_apple_scripting.toml
rules_building_block/lateral_movement_posh_winrm_activity.toml

rules/windows/defense_evasion_via_filter_manager.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/persistence_scheduled_task_creation_winlog.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/discovery_pspy_process_monitoring_detected.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/command_and_control_certreq_postdata.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/persistence_app_compat_shim.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/discovery_peripheral_device.toml
rules_building_block/discovery_generic_account_groups.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_injection_msbuild.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
rules_building_block/defense_evasion_injection_from_msoffice.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_veeam_commands.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/initial_access_webshell_screenconnect_server.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_saved_creds_vaultcmd.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/linux/persistence_kernel_driver_load.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/discovery_process_discovery_via_builtin_tools.toml

rules/windows/credential_access_ldap_attributes.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_dontexpirepasswd_account.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/defense_evasion_dns_over_https_enabled.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/windows/defense_evasion_root_dir_ads_creation.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/defense_evasion_unusual_system_vp_child_program.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/linux/execution_process_started_in_shared_memory_directory.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/linux/defense_evasion_hidden_directory_creation.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/linux/discovery_suid_sguid_enumeration.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/macos/persistence_docker_shortcuts_plist_modification.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/ml/initial_access_ml_linux_anomalous_user_name.toml
rules_building_block/initial_access_github_new_ip_address_for_user.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/defense_evasion_unusual_process_network_connection.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/macos/privilege_escalation_applescript_with_admin_privs.toml
rules_building_block/discovery_posh_password_policy.toml

rules/linux/defense_evasion_hidden_file_dir_tmp.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_suspicious_short_program_name.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/collection_posh_keylogger.toml
rules_building_block/defense_evasion_service_path_registry.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/linux/execution_process_started_from_process_id_file.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/persistence_suspicious_scheduled_task_runtime.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_wsl_kalilinux.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/linux/execution_perl_tty_shell.toml
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/discovery_net_view.toml

rules/windows/defense_evasion_disabling_windows_logs.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
rules_building_block/discovery_security_software_wmic.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/discovery_system_service_discovery.toml

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
rules_building_block/defense_evasion_unusual_process_extension.toml

rules/linux/persistence_unusual_sshd_child_process.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/collection_posh_screen_grabber.toml
rules_building_block/collection_files_staged_in_recycle_bin_root.toml

rules/windows/execution_suspicious_pdf_reader.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
rules_building_block/discovery_internet_capabilities.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_create_mod_root_certificate.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/ml/persistence_ml_windows_anomalous_process_creation.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/linux/persistence_apt_package_manager_netcon.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/privilege_escalation_persistence_phantom_dll.toml
rules_building_block/discovery_linux_system_information_discovery.toml

rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/linux/persistence_site_and_user_customize_file_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/persistence_scheduled_task_updated.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/privilege_escalation_group_policy_scheduled_task.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/persistence_via_wmi_stdregprov_run_services.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/privilege_escalation_unquoted_service_path.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
rules_building_block/collection_common_compressed_archived_file.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/defense_evasion_disable_nla.toml
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/command_and_control_iexplore_via_com.toml
rules_building_block/command_and_control_non_standard_http_port.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/linux/persistence_openssl_passwd_hash_generation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/macos/persistence_creation_hidden_login_item_osascript.toml
rules_building_block/persistence_startup_folder_lnk.toml

rules/windows/discovery_posh_invoke_sharefinder.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/execution_com_object_xwizard.toml
rules_building_block/collection_outlook_email_archive.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
rules_building_block/defense_evasion_write_dac_access.toml

rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml

rules/linux/defense_evasion_dynamic_linker_file_creation.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/privilege_escalation_make_token_local.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
rules_building_block/initial_access_github_new_user_agent_for_pat.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/initial_access_github_new_ip_address_for_pat.toml

rules/windows/discovery_privileged_localgroup_membership.toml
rules_building_block/discovery_linux_modprobe_enumeration.toml

rules/linux/command_and_control_cat_network_activity.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/initial_access_suspicious_ms_office_child_process.toml
rules_building_block/lateral_movement_at.toml

rules/windows/persistence_via_application_shimming.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/credential_access_iis_connectionstrings_dumping.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_sc_sdset.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/windows/persistence_group_modification_by_system.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/defense_evasion_file_permission_modification.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
rules_building_block/discovery_remote_system_discovery_commands_windows.toml

rules/windows/credential_access_dcsync_user_backdoor.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
rules_building_block/persistence_github_new_pat_for_user.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/persistence_iam_instance_request_to_iam_service.toml

rules/windows/persistence_ad_adminsdholder.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

rules/windows/lateral_movement_dcom_mmc20.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/windows/discovery_adfind_command_activity.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
rules_building_block/discovery_windows_system_information_discovery.toml

rules/linux/persistence_ssh_via_backdoored_system_user.toml
rules_building_block/defense_evasion_services_exe_path.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/defense_evasion_installutil_command_activity.toml

rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
rules_building_block/defense_evasion_posh_defender_tampering.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/persistence_temp_scheduled_task.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/defense_evasion_wsl_child_process.toml
rules_building_block/collection_outlook_email_archive.toml

rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
rules_building_block/execution_github_new_repo_interaction_for_user.toml

rules/ml/persistence_ml_rare_process_by_host_linux.toml
rules_building_block/command_and_control_certutil_network_connection.toml

rules/linux/command_and_control_linux_kworker_netcon.toml
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml

rules/linux/discovery_suspicious_memory_grep_activity.toml
rules_building_block/discovery_suspicious_proc_enumeration.toml

rules/windows/discovery_whoami_command_activity.toml
rules_building_block/discovery_win_network_connections.toml

rules/windows/credential_access_dcsync_replication_rights.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
rules_building_block/initial_access_github_new_user_agent_for_user.toml

rules/windows/execution_via_hidden_shell_conhost.toml
rules_building_block/defense_evasion_invalid_codesign_imageload.toml

rules/windows/execution_register_server_program_connecting_to_the_internet.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/execution_command_shell_started_by_unusual_process.toml
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/command_and_control_headless_browser.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/command_and_control_ingress_transfer_bits.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/command_and_control_rdp_tunnel_plink.toml
rules_building_block/lateral_movement_at.toml

rules/windows/defense_evasion_posh_encryption.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/credential_access_saved_creds_vault_winlog.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
rules_building_block/discovery_hosts_file_access.toml

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/initial_access_exploit_jetbrains_teamcity.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
rules_building_block/defense_evasion_masquerading_browsers.toml

rules/windows/credential_access_dnsnode_creation.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/discovery_admin_recon.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
rules_building_block/execution_unsigned_service_executable.toml

rules/windows/defense_evasion_lolbas_win_cdb_utility.toml
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml

rules/windows/execution_suspicious_cmd_wmi.toml
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
rules_building_block/persistence_transport_agent_exchange.toml

rules/windows/lateral_movement_alternate_creds_pth.toml
rules_building_block/credential_access_win_private_key_access.toml

rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

rules/linux/persistence_dbus_service_creation.toml
rules_building_block/persistence_creation_of_kernel_module.toml

rules/linux/discovery_sudo_allowed_command_enumeration.toml
rules_building_block/discovery_potential_memory_seeking_activity.toml

rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
rules_building_block/discovery_net_view.toml

rules/windows/execution_command_prompt_connecting_to_the_internet.toml
rules_building_block/discovery_posh_generic.toml

rules/windows/defense_evasion_wsl_enabled_via_dism.toml
rules_building_block/lateral_movement_at.toml

rules/windows/credential_access_adidns_wpad_record.toml
rules_building_block/discovery_system_service_discovery.toml

rules/windows/defense_evasion_indirect_exec_forfiles.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/credential_access_disable_kerberos_preauth.toml
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml

rules/windows/initial_access_execution_from_inetcache.toml
rules_building_block/lateral_movement_wmic_remote.toml

rules/windows/execution_enumeration_via_wmiprvse.toml
rules_building_block/discovery_generic_process_discovery.toml

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
rules_building_block/discovery_net_share_discovery_winlog.toml

rules/windows/collection_posh_mailbox.toml
rules_building_block/execution_settingcontent_ms_file_creation.toml

rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
rules_building_block/defense_evasion_unusual_process_path_wbem.toml

rules/windows/defense_evasion_clearing_windows_event_logs.toml
rules_building_block/defense_evasion_download_susp_extension.toml

rules/windows/credential_access_dcsync_newterm_subjectuser.toml
rules_building_block/command_and_control_bitsadmin_activity.toml

rules/windows/defense_evasion_iis_httplogging_disabled.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/windows/credential_access_shadow_credentials.toml
rules_building_block/defense_evasion_cmstp_execution.toml

rules/linux/execution_executable_stack_execution.toml
rules_building_block/discovery_capnetraw_capability.toml

rules/windows/defense_evasion_cve_2020_0601.toml
rules_building_block/execution_wmi_wbemtest.toml

rules/windows/discovery_group_policy_object_discovery.toml
rules_building_block/defense_evasion_services_exe_path.toml