53 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (6:67, 33%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:68, 37%) 51 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (7:65, 33%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:68, 35%) 42 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (93:145, 32%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:137, 34%) 42 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (88:140, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:137, 34%) 40 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (6:51, 25%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:52, 27%) 39 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (82:131, 34%) - rules_building_block/persistence_web_server_sus_file_creation.toml (88:137, 32%) 36 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (62:103, 24%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:104, 26%) 32 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:297, 11%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:111, 32%) 31 duplicated lines in: - rules/windows/discovery_admin_recon.toml (95:134, 27%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (42:81, 44%) 30 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (27:60, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:59, 24%) 30 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (25:58, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:59, 24%) 29 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (98:134, 25%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:103, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (140:176, 19%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:103, 32%) 28 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (26:58, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:57, 23%) 28 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:48, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:57, 38%) 28 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (22:54, 30%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:164, 20%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:203, 15%) 28 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (27:58, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:57, 23%) 28 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:57, 38%) 28 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:52, 30%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (22:49, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (28:59, 36%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (28:59, 36%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:57, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:57, 23%) 28 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:52, 29%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:164, 20%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:79, 40%) 28 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (93:126, 26%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:126, 26%) 28 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (25:57, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (23:54, 29%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (28:55, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 27 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (24:50, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (30:60, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:182, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:172, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (23:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (23:53, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (24:50, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:139, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:52, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (21:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (95:125, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/windows/discovery_admin_recon.toml (95:127, 24%) - rules_building_block/discovery_generic_account_groups.toml (62:94, 28%) 27 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (87:117, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:172, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (27:57, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (21:47, 39%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (29:60, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (30:60, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (140:170, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (119:149, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:174, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (28:58, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:57, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:156, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:152, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:54, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:53, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (31:57, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (24:50, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (30:56, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (24:54, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (28:58, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (22:52, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (23:53, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (125:155, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:61, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (31:57, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (110:140, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:51, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:54, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (25:55, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (24:54, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (26:56, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:57, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 27 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:55, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:56, 22%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (23:52, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (23:52, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (21:50, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (25:54, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (28:57, 33%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (27:56, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (115:144, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (28:57, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:50, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:54, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (28:57, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (29:59, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:50, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (23:52, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (25:54, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:51, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (28:57, 33%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:54, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (87:116, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (22:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (24:49, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (23:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:55, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (24:53, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:53, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:53, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:53, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (21:50, 35%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:151, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (21:50, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:50, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:50, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:54, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:53, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (22:51, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (23:52, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (22:47, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:57, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:50, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (23:52, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:79, 29%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:135, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (28:57, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (22:51, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (25:55, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (24:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:55, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (25:54, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:52, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:103, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:51, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:54, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (22:51, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:54, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:55, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (27:56, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (24:53, 28%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (23:52, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (30:59, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (23:52, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (24:53, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:55, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (31:56, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (24:53, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (23:52, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (28:57, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:51, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:52, 34%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (23:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (24:53, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:50, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:56, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (23:52, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (23:52, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (24:49, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (24:54, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (31:56, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (30:55, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:52, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:46, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (24:53, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution.toml (22:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (25:54, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:53, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (22:51, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (25:54, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:50, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (29:58, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (21:50, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (29:58, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (24:54, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (22:51, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:51, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (26:55, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution.toml (22:51, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:50, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (23:52, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (21:50, 35%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:52, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (23:52, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (22:51, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (28:53, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (22:51, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (26:55, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (23:52, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:54, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:51, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (115:144, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (25:54, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (30:59, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (21:46, 37%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:56, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (23:52, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (30:59, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (23:52, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (23:52, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (23:52, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (24:49, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (23:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (119:148, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:50, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (23:54, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (21:50, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (22:51, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:53, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (28:57, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (23:52, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (27:56, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (117:146, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (22:52, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (27:56, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (24:53, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (23:54, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:50, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:50, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:55, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (25:54, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 25 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:57, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:55, 20%) 25 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (68:97, 26%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (46:75, 34%) 24 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:61, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:53, 19%) 24 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (71:97, 26%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:75, 33%) 24 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (29:54, 30%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (29:54, 22%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:44, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:53, 31%) 24 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (25:52, 32%) - rules_building_block/discovery_capnetraw_capability.toml (26:53, 31%) 24 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (3:34, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (3:34, 17%) 24 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:53, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 24 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (25:52, 32%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:53, 33%) 24 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:53, 23%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:44, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:53, 33%) 24 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (29:54, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 24 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (29:54, 30%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 23 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (22:48, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:48, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (6:32, 19%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (6:32, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (6:32, 20%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (22:48, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (6:32, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (6:32, 20%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (6:32, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_bruteforce_admin_account.toml (6:32, 19%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (6:32, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (6:32, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (6:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:48, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (22:48, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (6:32, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (6:32, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:48, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (6:32, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (6:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:48, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (6:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:33, 16%) 23 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (22:48, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 22 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (145:172, 15%) - rules_building_block/command_and_control_bitsadmin_activity.toml (56:83, 25%) 22 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (72:98, 24%) - rules_building_block/execution_unsigned_service_executable.toml (40:66, 30%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (27:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (24:44, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (31:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (27:51, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (28:52, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (23:47, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:50, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (9:32, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:45, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (9:32, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:55, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:46, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (23:47, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:50, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:46, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (9:32, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (28:52, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (25:49, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (9:32, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:46, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (25:49, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (25:49, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (7:30, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (23:47, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (125:149, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (28:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:48, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (28:52, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (28:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (29:53, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:45, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:50, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (24:48, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (22:46, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (7:30, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:48, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:48, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (25:49, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (76:100, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:138, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:52, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:47, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:45, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:46, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (9:32, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (9:36, 17%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:150, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (9:32, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (25:49, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:49, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (21:45, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (30:54, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:51, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (24:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (6:29, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:48, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:146, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (76:100, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (27:51, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:49, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (27:51, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (27:51, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (23:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (24:49, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (27:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:45, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (9:36, 17%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:98, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (22:46, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (7:30, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (21:41, 30%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (9:36, 13%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:46, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (24:48, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (23:47, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (6:29, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:50, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:58, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (22:46, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (23:47, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (9:32, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:45, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (7:30, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:45, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (6:29, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (9:32, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (9:32, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (24:44, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (28:52, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (26:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:74, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (23:47, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:50, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (25:49, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (25:49, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (77:101, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (23:47, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (7:30, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (125:149, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:176, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:45, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (95:119, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (22:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (7:30, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (7:30, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (22:46, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (22:46, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:130, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (23:47, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (110:134, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (23:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (30:54, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:47, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (133:157, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:48, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (24:44, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:138, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:49, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (76:100, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (24:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (115:139, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:47, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (30:54, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (76:100, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (117:141, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (113:137, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (28:52, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (28:52, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (23:47, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (23:47, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (6:29, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:48, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:74, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:138, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (108:132, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:168, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (26:50, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:166, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (25:50, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:133, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (9:32, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (22:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (9:36, 13%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:166, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (26:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:45, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:47, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (117:141, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (23:47, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (133:157, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (24:48, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:47, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (113:137, 11%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (28:52, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (110:134, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (30:54, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:48, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:48, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:49, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:50, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:58, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:48, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (27:51, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:138, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:46, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (87:111, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (108:132, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:49, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (77:101, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:137, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:168, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:150, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (133:157, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:47, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (76:100, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (25:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:45, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (23:49, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (25:49, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (22:46, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (76:100, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (23:47, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (9:36, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (24:48, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (26:50, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (22:46, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (25:49, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:47, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (30:54, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (28:52, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:137, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (23:47, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:166, 10%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:133, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (7:30, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (7:30, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (27:51, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:46, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (140:164, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:49, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (24:48, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (28:48, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (77:101, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:47, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:55, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:45, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:50, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:41, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (30:54, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (23:47, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:229, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:194, 11%) 21 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:47, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (95:119, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (140:164, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (22:47, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:176, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:45, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:98, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (29:54, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:41, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:45, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:166, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (119:143, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (23:47, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:51, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:48, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution.toml (22:46, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (27:51, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (31:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:229, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:70, 30%) 21 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:46, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:52, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (28:52, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (25:49, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (7:30, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (7:30, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:33, 14%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (25:49, 28%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (22:46, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (113:137, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (22:42, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (22:46, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (27:51, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (30:50, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:45, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (28:52, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (21:45, 28%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (30:54, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (21:45, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (22:46, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (119:145, 16%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:102, 22%) 21 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (22:46, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:45, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (24:48, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (21:45, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (25:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:45, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (28:52, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:47, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (21:45, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:50, 17%) 21 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:48, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (27:51, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (108:132, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (26:50, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:130, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (18:40, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (11:33, 13%) 20 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (94:117, 20%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (79:102, 21%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (26:50, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (39:61, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (11:33, 13%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (26:50, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (26:50, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (28:50, 25%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:49, 16%) 20 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:52, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (28:50, 27%) 19 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (138:162, 14%) - rules_building_block/persistence_startup_folder_lnk.toml (46:70, 30%) 19 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (29:49, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:50, 15%) 19 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (29:49, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:50, 15%) 19 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (183:206, 10%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:72, 25%) 19 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:48, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:50, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:142, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (29:48, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (115:135, 15%) - rules_building_block/collection_posh_compression.toml (120:142, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (31:50, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (137:159, 12%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (32:51, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (33:52, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (29:48, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (29:48, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (29:48, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:134, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (35:54, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (118:137, 11%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (82:101, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (28:47, 20%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (31:50, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (62:81, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (32:51, 13%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (31:50, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (63:81, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (123:143, 14%) - rules_building_block/collection_posh_compression.toml (120:142, 14%) 18 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (65:83, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (64:82, 15%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (92:113, 14%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (88:109, 18%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (28:47, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (37:56, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (21:42, 27%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (129:149, 14%) - rules_building_block/collection_posh_compression.toml (120:142, 14%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (33:52, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (57:78, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (28:47, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (29:48, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (124:144, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:82, 25%) 18 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (22:43, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (88:109, 20%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:118, 18%) - rules_building_block/defense_evasion_service_path_registry.toml (62:82, 20%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (166:185, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (118:137, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (37:56, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (31:50, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (35:54, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (85:106, 20%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (35:54, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:133, 14%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:142, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (137:157, 13%) - rules_building_block/collection_posh_compression.toml (120:142, 14%) 18 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:142, 14%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:207, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/linux/persistence_rc_local_error_via_syslog.toml (29:50, 20%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (34:53, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (63:81, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (82:101, 13%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (31:50, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (37:56, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (145:167, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (46:68, 25%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (20:41, 20%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:185, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (33:52, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (35:54, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (35:54, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (166:185, 8%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (106:127, 16%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (27:48, 25%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (30:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (85:105, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (85:105, 13%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (62:81, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (64:82, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:207, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (64:82, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (96:118, 16%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:118, 18%) - rules_building_block/defense_evasion_services_exe_path.toml (59:79, 21%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (166:185, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:142, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (110:130, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (110:130, 15%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:134, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (82:101, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:149, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:103, 20%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (35:54, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (63:81, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:149, 14%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (32:51, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:134, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:185, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (29:48, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (107:127, 17%) - rules_building_block/collection_posh_compression.toml (120:142, 14%) 18 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (63:84, 24%) - rules_building_block/lateral_movement_at.toml (40:61, 27%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (37:56, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (118:137, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (75:96, 20%) - rules_building_block/lateral_movement_at.toml (40:61, 27%) 18 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:96, 23%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (29:48, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (22:43, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (29:48, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (30:49, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (63:81, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (29:48, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (34:53, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (34:53, 11%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (37:56, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:176, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:112, 18%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (27:46, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (30:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (114:135, 15%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (62:81, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (30:49, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (27:46, 21%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (37:56, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (138:160, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (46:68, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (31:50, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (92:114, 16%) - rules_building_block/execution_unsigned_service_executable.toml (40:62, 25%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (27:46, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 17 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (10:28, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (15:33, 11%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:59, 30%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (90:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:59, 30%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:58, 31%) 17 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (122:142, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (150:169, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (94:113, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:89, 19%) 17 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (124:143, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (124:143, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:187, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (90:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:58, 31%) 17 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (95:116, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:89, 19%) 17 duplicated lines in: - rules/windows/persistence_services_registry.toml (106:125, 14%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (122:142, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:58, 31%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (90:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:59, 30%) 17 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (86:105, 17%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (10:28, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (15:33, 11%) 17 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (6:26, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:27, 11%) 17 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:187, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (114:135, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:89, 19%) 17 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (99:118, 16%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:72, 22%) 17 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (86:105, 17%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (93:112, 15%) - rules_building_block/lateral_movement_wmic_remote.toml (54:73, 23%) 17 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (95:114, 15%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:59, 30%) 17 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (85:104, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:89, 19%) 17 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (95:114, 15%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 17 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (150:169, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (63:82, 20%) 17 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (90:109, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:72, 22%) 17 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (10:28, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (15:33, 11%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (90:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:58, 31%) 17 duplicated lines in: - rules/windows/persistence_services_registry.toml (106:125, 14%) - rules_building_block/defense_evasion_service_path_registry.toml (66:85, 19%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:59, 29%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:58, 29%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:58, 29%) 16 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (146:166, 11%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:69, 21%) 16 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (133:152, 12%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:81, 22%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:59, 29%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:58, 29%) 16 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (183:203, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:100, 17%) 16 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (170:189, 10%) - rules_building_block/persistence_creation_of_kernel_module.toml (36:56, 32%) 16 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (146:166, 11%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:100, 17%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:59, 29%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:58, 29%) 16 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (80:98, 14%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (79:97, 17%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:59, 29%) 15 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (114:133, 13%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (104:121, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (72:89, 17%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml (106:125, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml (79:98, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (25:40, 13%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml (73:92, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:42, 17%) 15 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (90:106, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (159:175, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:69, 21%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (93:112, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (33:52, 34%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (94:113, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (96:115, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (85:102, 15%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:56, 27%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/collection_posh_compression.toml (24:42, 12%) 15 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (122:140, 12%) - rules_building_block/discovery_security_software_wmic.toml (71:90, 17%) 15 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (91:109, 14%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:56, 30%) 15 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (64:82, 20%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (95:111, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml (98:117, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml (75:94, 19%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (91:107, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:133, 10%) 15 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (166:185, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (82:101, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (146:165, 10%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:95, 15%) 15 duplicated lines in: - rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml (100:119, 15%) - rules_building_block/credential_access_win_private_key_access.toml (74:93, 17%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (89:108, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:70, 23%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/_deprecated/persistence_kernel_module_activity.toml (33:52, 33%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:56, 30%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (114:132, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:69, 21%) 15 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (91:107, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml (105:124, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (160:178, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:59, 24%) 15 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (94:110, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (114:133, 13%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (9:26, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (10:27, 10%) 15 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (94:110, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (103:122, 14%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (95:114, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (85:102, 15%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:54, 31%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/discovery_posh_password_policy.toml (24:42, 13%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (137:156, 10%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (103:122, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (81:100, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:47, 14%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (91:107, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (86:105, 17%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (135:154, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (74:93, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (166:185, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:45, 15%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:56, 27%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml (83:102, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (87:106, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_event_hub_deletion.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:136, 13%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:61, 27%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml (80:99, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (73:92, 17%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (96:115, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:86, 17%) 15 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (91:107, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:55, 27%) 15 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (62:80, 9%) - rules_building_block/discovery_posh_generic.toml (24:42, 5%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:55, 27%) 14 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (111:127, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:215, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (88:104, 13%) - rules_building_block/collection_outlook_email_archive.toml (55:71, 21%) 14 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:105, 15%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:207, 8%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:135, 12%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:89, 18%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:106, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:106, 14%) 14 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (93:109, 14%) - rules_building_block/defense_evasion_services_exe_path.toml (80:96, 16%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (108:124, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:297, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:203, 7%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:149, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (100:116, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:104, 16%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (88:104, 16%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:101, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:56, 25%) 14 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (87:101, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (110:123, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:75, 19%) 14 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (101:117, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (157:173, 9%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (109:125, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (101:117, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:134, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:145, 10%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:87, 14%) 14 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (102:115, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:75, 19%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (107:122, 13%) - rules_building_block/lateral_movement_wmic_remote.toml (67:82, 19%) 14 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (158:171, 8%) - rules_building_block/discovery_posh_generic.toml (284:298, 5%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (122:135, 11%) - rules_building_block/collection_posh_compression.toml (120:136, 11%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:142, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:165, 10%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml (69:85, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:101, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:55, 25%) 14 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (88:104, 16%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (107:124, 10%) - rules_building_block/discovery_net_share_discovery_winlog.toml (44:61, 22%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (89:103, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (120:136, 12%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (110:127, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (48:65, 16%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:134, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:133, 12%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:117, 14%) 14 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:107, 15%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:59, 26%) 14 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (104:120, 14%) - rules_building_block/defense_evasion_generic_deletion.toml (53:69, 22%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (149:165, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (89:105, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (108:124, 11%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (135:149, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (110:123, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:215, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (77:93, 19%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (103:119, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (100:116, 12%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:107, 14%) 14 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (73:86, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (110:123, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:121, 13%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (81:97, 17%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:55, 25%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:185, 9%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:142, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (173:189, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (110:127, 11%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:63, 21%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (90:106, 16%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (109:125, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (87:101, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (128:144, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:219, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:87, 14%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:176, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (112:128, 13%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (116:130, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:104, 16%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:134, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:107, 15%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (148:165, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:74, 16%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:133, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:79, 20%) 14 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (90:106, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:56, 25%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (100:116, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (111:124, 12%) - rules_building_block/collection_posh_compression.toml (120:136, 11%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (116:132, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:273, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:60, 20%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (133:149, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:181, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:121, 13%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:89, 18%) 14 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (97:113, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:297, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:79, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (99:115, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:149, 10%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:142, 11%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:142, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:255, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:117, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (102:118, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (95:111, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (122:139, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:74, 16%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:201, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:142, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:201, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:101, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:55, 25%) 14 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (96:112, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:116, 14%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:79, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (98:114, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (81:97, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (121:137, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (27:42, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (30:45, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (99:115, 13%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:147, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (68:83, 11%) - rules_building_block/defense_evasion_write_dac_access.toml (30:45, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:134, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (131:145, 10%) - rules_building_block/discovery_posh_generic.toml (202:216, 5%) 14 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:121, 13%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:149, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:55, 25%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:176, 9%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (116:132, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (133:149, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (64:81, 10%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (107:123, 13%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:185, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:134, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (126:142, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:144, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:106, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:134, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:207, 8%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (186:202, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (68:85, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (118:131, 10%) - rules_building_block/discovery_posh_generic.toml (284:298, 5%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (76:92, 19%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (141:155, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:56, 25%) 14 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (93:109, 14%) - rules_building_block/defense_evasion_service_path_registry.toml (83:99, 16%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (118:131, 10%) - rules_building_block/discovery_posh_password_policy.toml (104:117, 12%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (113:129, 9%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (77:93, 19%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:185, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:99, 17%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (86:102, 15%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (135:152, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:74, 16%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:148, 11%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:128, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:106, 14%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (92:106, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (158:171, 8%) - rules_building_block/discovery_posh_password_policy.toml (104:117, 12%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:56, 25%) 14 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:165, 10%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:106, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:96, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:207, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (108:124, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (110:127, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (51:68, 16%) 14 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (163:178, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:100, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:147, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:143, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:273, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:184, 7%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (202:218, 7%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (118:134, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (123:139, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (80:96, 16%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:142, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (100:116, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (26:43, 12%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (121:137, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (63:79, 16%) 14 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (81:94, 16%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:75, 19%) 14 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:161, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:117, 14%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (117:133, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:134, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (114:130, 12%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:149, 10%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (123:139, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (83:99, 16%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (89:105, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:107, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (141:155, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:54, 29%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (149:165, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:134, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:139, 11%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (239:255, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:207, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (101:117, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (89:105, 15%) - rules_building_block/lateral_movement_wmic_remote.toml (54:70, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:144, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:96, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (29:46, 10%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (69:84, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (30:45, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:136, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:141, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (25:42, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:135, 12%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:134, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:112, 15%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:76, 17%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (90:106, 16%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (119:135, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:138, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:76, 17%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:163, 9%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:185, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:121, 13%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:89, 18%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (113:129, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (111:127, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (105:121, 13%) - rules_building_block/defense_evasion_services_exe_path.toml (80:96, 16%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (141:157, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:142, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:132, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:101, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:56, 25%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:157, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:143, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (86:102, 15%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:161, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:79, 20%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:176, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (109:125, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (102:118, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:142, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (60:77, 12%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (106:122, 13%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:347, 4%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:176, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (92:106, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:133, 9%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:128, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:96, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:125, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (149:166, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:67, 17%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:142, 11%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (87:103, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:164, 10%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:111, 14%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:134, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/integrations/azure/impact_resource_group_deletion.toml (93:109, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:176, 9%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (105:121, 13%) - rules_building_block/defense_evasion_service_path_registry.toml (83:99, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (72:88, 19%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:93, 14%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (126:142, 9%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (26:43, 12%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:149, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:135, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (105:121, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (127:143, 10%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (111:127, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:181, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (116:133, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:127, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (105:121, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (173:189, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (66:82, 16%) 14 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (102:118, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (94:110, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (76:92, 19%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:140, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:147, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (59:76, 12%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:255, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:79, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (64:81, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (103:119, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (121:137, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:82, 19%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:126, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (86:102, 15%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:97, 14%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (60:77, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (121:137, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:136, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (155:171, 9%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (79:95, 14%) 14 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (110:126, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:86, 15%) 14 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:159, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:159, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (24:41, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:207, 8%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:149, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:112, 14%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (67:84, 10%) - rules_building_block/discovery_posh_password_policy.toml (24:41, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:105, 15%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:89, 18%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:164, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:130, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:135, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (109:126, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:149, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:126, 13%) 14 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (108:124, 13%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:185, 9%) - rules_building_block/collection_posh_compression.toml (125:142, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (108:125, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (25:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (65:82, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (27:44, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:142, 11%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/discovery_posh_password_policy.toml (108:124, 12%) 14 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (114:130, 12%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:130, 12%) - rules_building_block/discovery_posh_generic.toml (289:305, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (23:40, 11%) - rules_building_block/discovery_posh_generic.toml (24:41, 5%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:143, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:103, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (108:125, 8%) - rules_building_block/collection_posh_compression.toml (24:41, 11%) 14 duplicated lines in: - rules/cross-platform/execution_potential_widespread_malware_infection.toml (79:95, 17%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:65, 19%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (64:81, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (28:45, 13%) 13 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (83:97, 12%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 13 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (99:112, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (101:114, 9%) 13 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (83:96, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (6:21, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (7:22, 9%) 13 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (91:104, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:111, 12%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 13 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (105:119, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (60:74, 15%) 13 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:79, 16%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 13 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (82:95, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (87:99, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:133, 9%) 13 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (96:109, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (81:94, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (96:109, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (82:95, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/discovery_command_system_account.toml (51:64, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:62, 13%) 13 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (80:93, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:164, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:76, 15%) 13 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (93:106, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (99:113, 12%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 13 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (104:118, 11%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (81:93, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:133, 9%) 13 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (91:104, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (97:110, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:132, 9%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (86:98, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:133, 9%) 13 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:134, 10%) - rules_building_block/lateral_movement_at.toml (43:57, 19%) 12 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (75:89, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (30:44, 12%) 12 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (16:30, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (31:45, 11%) 12 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (147:161, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (30:44, 12%) 12 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (29:43, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (27:41, 13%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:112, 12%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (116:130, 10%) 12 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (34:48, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (33:47, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (22:34, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:61, 12%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (89:103, 13%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (27:41, 13%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (31:45, 11%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/discovery_posh_password_policy.toml (27:41, 10%) 12 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (78:92, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (70:84, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:76, 16%) 12 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (20:32, 10%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (31:45, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/windows/discovery_admin_recon.toml (115:127, 10%) - rules_building_block/discovery_posh_generic.toml (205:216, 4%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/discovery_posh_password_policy.toml (27:41, 10%) 12 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (117:131, 10%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (103:117, 11%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:95, 12%) 12 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (64:76, 7%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (107:118, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (101:112, 8%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (31:45, 11%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:79, 16%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/collection_posh_compression.toml (27:41, 9%) 12 duplicated lines in: - rules/windows/impact_backup_file_deletion.toml (65:77, 10%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (30:44, 12%) 12 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:161, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:57, 20%) 12 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (90:104, 11%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (92:107, 13%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (52:67, 19%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (28:39, 10%) 12 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (124:138, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (129:141, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (65:77, 10%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (24:36, 7%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/discovery_posh_generic.toml (27:41, 4%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/discovery_posh_generic.toml (27:41, 4%) 12 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (133:145, 9%) - rules_building_block/discovery_generic_account_groups.toml (82:94, 12%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (28:39, 10%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (95:106, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (101:112, 8%) 12 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (18:32, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (114:127, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (72:86, 13%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/collection_posh_compression.toml (128:142, 9%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (27:41, 13%) 12 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (26:38, 11%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (26:38, 10%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (307:320, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (45:58, 19%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (111:122, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (101:112, 8%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (23:35, 14%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (57:69, 9%) - rules_building_block/discovery_net_view.toml (52:64, 11%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (129:143, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (103:117, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (65:79, 17%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/collection_posh_compression.toml (27:41, 9%) 12 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (18:32, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (28:39, 10%) 12 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (26:38, 14%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:61, 12%) 12 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (92:107, 13%) - rules_building_block/defense_evasion_download_susp_extension.toml (58:73, 14%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (31:45, 11%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/discovery_posh_password_policy.toml (110:124, 10%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/discovery_posh_generic.toml (27:41, 4%) 12 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (110:124, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (157:169, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:78, 17%) 12 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (103:117, 12%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (103:117, 12%) 12 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (43:57, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (165:179, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (27:41, 13%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (35:49, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (35:49, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (53:67, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (54:68, 8%) 12 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (134:148, 9%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:95, 12%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/discovery_posh_generic.toml (291:305, 4%) 12 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (32:46, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (110:124, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (72:86, 13%) 12 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (96:110, 12%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (119:131, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:61, 12%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (129:143, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/collection_posh_compression.toml (27:41, 9%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (28:39, 10%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (123:137, 7%) - rules_building_block/discovery_posh_generic.toml (27:41, 4%) 12 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (127:140, 9%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (128:142, 9%) - rules_building_block/credential_access_win_private_key_access.toml (79:93, 13%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (109:123, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (30:44, 12%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (78:92, 11%) - rules_building_block/discovery_posh_password_policy.toml (27:41, 10%) 12 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (109:123, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (84:98, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (161:175, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (55:69, 19%) 12 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (62:76, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (44:55, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:56, 16%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (97:111, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (112:126, 11%) 12 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (95:109, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (159:173, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/discovery_posh_password_policy.toml (27:41, 10%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (145:159, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (72:86, 13%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (128:140, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (130:144, 10%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (119:133, 10%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (64:78, 9%) - rules_building_block/collection_posh_compression.toml (27:41, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:116, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:103, 11%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (141:154, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (55:67, 13%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:116, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (157:168, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:51, 23%) 11 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (128:140, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (93:106, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (63:76, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (141:153, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:79, 12%) 11 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:104, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:149, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (76:86, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:139, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (160:172, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:48, 20%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:152, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (152:164, 6%) - rules_building_block/discovery_net_view.toml (101:113, 10%) 11 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:58, 21%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:63, 19%) 11 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (84:98, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:197, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:124, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (157:168, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:53, 20%) 11 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (133:145, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (63:75, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:82, 11%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (44:54, 10%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (152:164, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (49:61, 17%) 11 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (43:53, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:55, 9%) 11 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (114:126, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (134:146, 7%) 11 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:52, 8%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (108:120, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (91:103, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (276:288, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (55:67, 13%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (122:135, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (150:163, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (37:51, 21%) 11 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (133:145, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:57, 19%) 11 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (112:124, 8%) - rules_building_block/discovery_net_view.toml (101:113, 10%) 11 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (173:186, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (125:135, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (124:137, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (124:137, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (87:101, 13%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:57, 21%) 11 duplicated lines in: - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml (85:97, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:181, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (120:133, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (90:102, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:53, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:55, 9%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (170:184, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:71, 12%) 11 duplicated lines in: - rules/windows/persistence_services_registry.toml (106:119, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:149, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (79:89, 12%) 11 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (137:150, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (86:99, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (108:121, 9%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (37:51, 21%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (116:129, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (122:136, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:179, 5%) 11 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (133:146, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (43:53, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:55, 9%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (160:172, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:48, 20%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:55, 15%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (83:97, 13%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (139:149, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:103, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (122:135, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml (31:45, 28%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (108:120, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:79, 12%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (86:99, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (121:134, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (38:52, 21%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (120:132, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:62, 14%) 11 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:144, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (46:59, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (34:47, 11%) 11 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (158:168, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:107, 11%) 11 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_file_writes.toml (56:70, 17%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:124, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:181, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:125, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:104, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (91:105, 12%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (38:52, 23%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (116:129, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (133:146, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:114, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (84:98, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:71, 12%) 11 duplicated lines in: - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml (37:49, 21%) - rules_building_block/credential_access_win_private_key_access.toml (74:86, 12%) 11 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (118:128, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:107, 11%) 11 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:124, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (76:86, 13%) 11 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:52, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:55, 15%) 11 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:141, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (252:262, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:66, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:166, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (140:154, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (48:62, 15%) 11 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (93:106, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (66:79, 12%) 11 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (120:132, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:93, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:124, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:103, 11%) 11 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (113:123, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:253, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:89, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (102:115, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:100, 12%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (86:99, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (102:115, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:124, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:45, 28%) - rules_building_block/discovery_generic_process_discovery.toml (47:61, 20%) 11 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (46:59, 13%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (36:49, 11%) 11 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (104:117, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (93:106, 11%) 11 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:144, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:140, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (160:172, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:49, 20%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:103, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_repo_created.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (123:136, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:76, 13%) 11 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (50:60, 10%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (121:134, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (50:60, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:55, 15%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/network/lateral_movement_dns_server_overflow.toml (77:91, 14%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:146, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (53:67, 18%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:179, 5%) 11 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (107:121, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:71, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (79:93, 13%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (38:52, 23%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (170:184, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:116, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (123:136, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:79, 12%) 11 duplicated lines in: - rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml (45:59, 20%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (168:182, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:51, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:55, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:54, 18%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (161:175, 7%) - rules_building_block/lateral_movement_at.toml (40:54, 16%) 11 duplicated lines in: - rules/network/command_and_control_download_rar_powershell_from_internet.toml (114:128, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:71, 12%) 11 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (95:108, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:132, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (150:162, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:141, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:69, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:54, 20%) 11 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (105:118, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (63:76, 13%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:253, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:86, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (154:166, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:102, 11%) 11 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:140, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:152, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (53:67, 18%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (148:162, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (139:149, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (95:108, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (103:117, 10%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/_deprecated/discovery_query_registry_via_reg.toml (29:43, 29%) - rules_building_block/discovery_generic_registry_query.toml (54:68, 16%) 11 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:151, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:141, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (141:154, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:102, 11%) 11 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:148, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (105:118, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (66:79, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:124, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:93, 12%) 11 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:45, 28%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (51:64, 18%) 11 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (95:108, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:137, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (129:141, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (147:159, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:146, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (150:163, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (80:93, 13%) 11 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (108:120, 9%) - rules_building_block/collection_outlook_email_archive.toml (52:64, 17%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (160:172, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:49, 20%) 11 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (107:121, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (173:186, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (100:113, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (110:120, 9%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:177, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:57, 18%) 11 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (135:149, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:116, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:93, 12%) 11 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (146:160, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:82, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:55, 15%) 11 duplicated lines in: - rules/network/command_and_control_download_rar_powershell_from_internet.toml (114:128, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:167, 7%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:222, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:89, 12%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_member_removed_from_organization.toml (35:49, 25%) 11 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (91:105, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (168:182, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (57:71, 12%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_event_action_for_pat.toml (37:51, 21%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/windows/persistence_services_registry.toml (106:119, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (83:96, 12%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (35:49, 25%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_aws_lambda_function_updated.toml (56:70, 17%) 11 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:124, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (79:89, 12%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:222, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:86, 13%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:193, 5%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:128, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (86:96, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (31:41, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_github_new_event_action_for_pat.toml (40:51, 19%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (112:123, 9%) - rules_building_block/impact_github_user_blocked_from_organization.toml (38:49, 23%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (46:56, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (160:170, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (124:133, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (105:116, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (156:167, 6%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (114:123, 7%) - rules_building_block/discovery_internet_capabilities.toml (42:51, 17%) 10 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:121, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (85:94, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (164:175, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (192:203, 5%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (115:126, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (183:194, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (40:51, 19%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:131, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (116:125, 8%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (103:114, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (113:122, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (21:31, 10%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_aws_lambda_function_updated.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (106:115, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:88, 10%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:154, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:85, 11%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:109, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (109:120, 10%) - rules_building_block/discovery_generic_process_discovery.toml (50:61, 18%) 10 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (109:120, 10%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:154, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:88, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:144, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (86:97, 12%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (41:52, 21%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (38:48, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (105:116, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:106, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:81, 14%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (90:101, 11%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (41:52, 19%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:95, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (84:94, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (120:129, 6%) - rules_building_block/lateral_movement_at.toml (55:64, 15%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (192:203, 5%) 10 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:106, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:88, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (125:136, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (60:71, 11%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (93:102, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (127:138, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (38:48, 9%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (132:143, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (91:101, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (79:90, 12%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml (92:103, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (132:143, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (77:87, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (123:134, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (125:136, 8%) - rules_building_block/discovery_system_network_connections.toml (40:51, 22%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (22:32, 9%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:106, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:152, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:106, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:75, 11%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:92, 11%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (32:42, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (102:113, 7%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (106:115, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (91:101, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (182:191, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:93, 10%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (40:51, 19%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (129:140, 8%) - rules_building_block/lateral_movement_at.toml (43:54, 15%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (105:115, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (122:131, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (84:94, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml (90:101, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (60:71, 11%) 10 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml (77:88, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:76, 12%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml (89:100, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:35, 14%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (99:110, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (160:170, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (57:67, 10%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (106:117, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (41:52, 21%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (31:41, 9%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (121:130, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (102:113, 10%) - rules_building_block/discovery_generic_process_discovery.toml (50:61, 18%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (128:139, 8%) - rules_building_block/lateral_movement_at.toml (43:54, 15%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (104:113, 10%) - rules_building_block/persistence_startup_folder_lnk.toml (49:58, 16%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (94:103, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (103:114, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:176, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (99:110, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:117, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (183:194, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:84, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:75, 13%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:171, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:100, 11%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:128, 8%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:110, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_files.toml (93:104, 10%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (105:114, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:111, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (90:101, 11%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (40:51, 19%) 10 duplicated lines in: - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml (76:87, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (137:146, 6%) - rules_building_block/lateral_movement_at.toml (55:64, 15%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:87, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (170:181, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:107, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (98:109, 10%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/lateral_movement_via_wsus_update.toml (95:106, 10%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (95:104, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (101:112, 10%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (41:52, 21%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (41:52, 19%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:113, 10%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:161, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (32:42, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (105:114, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:106, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (164:175, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (100:111, 10%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (101:110, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (31:41, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (170:181, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:35, 13%) 10 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (109:118, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (83:94, 12%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (102:113, 7%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:104, 11%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:84, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/persistence_via_bits_job_notify_command.toml (81:92, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (84:95, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (91:101, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (84:93, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:132, 6%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_github_repo_created.toml (38:49, 23%) 10 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (88:99, 12%) - rules_building_block/discovery_of_domain_groups.toml (44:55, 20%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (164:175, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (68:79, 14%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:110, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_github_new_event_action_for_pat.toml (40:51, 19%) 10 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (101:110, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:88, 10%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (49:60, 19%) - rules_building_block/discovery_capnetraw_capability.toml (70:81, 12%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:106, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (165:176, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:64, 12%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (127:138, 8%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:110, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml (90:101, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (156:167, 6%) 10 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (64:75, 16%) - rules_building_block/execution_aws_lambda_function_updated.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (91:100, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (86:95, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:144, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:113, 10%) - rules_building_block/discovery_generic_process_discovery.toml (50:61, 18%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:208, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:171, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:128, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (62:72, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:108, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (79:90, 12%) - rules_building_block/discovery_generic_process_discovery.toml (50:61, 18%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:127, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:85, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (144:155, 7%) - rules_building_block/discovery_net_view.toml (111:122, 9%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (79:89, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (116:125, 8%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (98:109, 10%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:57, 19%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (100:111, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (53:62, 16%) 10 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (94:105, 11%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:166, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (94:104, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (103:112, 8%) - rules_building_block/persistence_startup_folder_lnk.toml (49:58, 16%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (21:31, 11%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:144, 7%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (107:118, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (128:137, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:108, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (105:116, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:176, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (154:165, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (60:71, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:131, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:118, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (128:137, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:89, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (128:137, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:72, 11%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (111:122, 9%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:193, 5%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (107:118, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (186:197, 6%) - rules_building_block/discovery_net_view.toml (111:122, 9%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (132:143, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (98:109, 10%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (88:99, 12%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:208, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (92:101, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:75, 13%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (105:116, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (114:123, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:91, 12%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:100, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (103:114, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (100:109, 10%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:136, 8%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:89, 11%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:72, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:171, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (98:109, 10%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (144:155, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (59:70, 16%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (123:134, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:117, 10%) - rules_building_block/lateral_movement_at.toml (43:54, 15%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:152, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (31:41, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (105:115, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:131, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (102:111, 10%) - rules_building_block/lateral_movement_at.toml (55:64, 15%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (86:96, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:109, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:108, 10%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:174, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (119:130, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (156:167, 6%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (112:123, 9%) - rules_building_block/impact_github_member_removed_from_organization.toml (38:49, 23%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:136, 8%) - rules_building_block/discovery_generic_process_discovery.toml (50:61, 18%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (149:158, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (94:105, 11%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:57, 19%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (127:136, 6%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (154:165, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (156:167, 6%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:46, 25%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:102, 10%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:131, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (32:42, 9%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (105:116, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:122, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:104, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (102:111, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (90:101, 11%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (113:123, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:106, 9%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:171, 6%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (108:117, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (110:119, 8%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_github_repo_created.toml (38:49, 23%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (94:103, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:132, 6%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (183:194, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (28:38, 11%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (160:170, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (111:122, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml (76:87, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:76, 12%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (128:137, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:92, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (128:137, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:75, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (127:136, 6%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:158, 6%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (170:181, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (105:116, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:86, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:109, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (107:118, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (111:122, 9%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:127, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:88, 11%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:107, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:89, 13%) - rules_building_block/discovery_internet_capabilities.toml (55:65, 17%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:128, 8%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:154, 7%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (111:120, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:65, 13%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (113:124, 9%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (41:52, 21%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (154:163, 6%) - rules_building_block/lateral_movement_at.toml (55:64, 15%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (60:69, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (69:78, 8%) 10 duplicated lines in: - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml (92:101, 10%) - rules_building_block/persistence_startup_folder_lnk.toml (49:58, 16%) 10 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (79:89, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (103:112, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:88, 10%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:127, 8%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:126, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:166, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (88:99, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:64, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:208, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (130:139, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (115:126, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (54:65, 11%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:88, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (123:134, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (127:138, 8%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:121, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:75, 13%) 10 duplicated lines in: - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml (82:93, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (90:101, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:64, 12%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (105:116, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:106, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (186:197, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (59:70, 16%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:208, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (126:135, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:116, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:208, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (46:58, 12%) - rules_building_block/discovery_net_view.toml (34:46, 9%) 10 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (111:122, 9%) - rules_building_block/discovery_security_software_wmic.toml (91:102, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_process.toml (135:146, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:131, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (31:41, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:91, 12%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml (82:93, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:128, 8%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (112:123, 9%) - rules_building_block/impact_github_pat_access_revoked.toml (38:49, 23%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:144, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:40, 13%) 10 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (102:113, 10%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:171, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (46:58, 12%) - rules_building_block/discovery_security_software_wmic.toml (37:49, 11%) 10 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (88:97, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (31:41, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (51:61, 8%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (84:95, 12%) - rules_building_block/discovery_hosts_file_access.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:109, 9%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (68:79, 14%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (99:110, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (92:101, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:140, 7%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:123, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:108, 10%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (125:136, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (156:167, 6%) 10 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (133:144, 8%) - rules_building_block/lateral_movement_at.toml (43:54, 15%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:36, 13%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:106, 11%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (115:126, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:106, 11%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:134, 7%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:149, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:152, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:67, 16%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (38:48, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (111:122, 9%) - rules_building_block/execution_wmi_wbemtest.toml (43:54, 20%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:120, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:112, 8%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (119:130, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (60:71, 11%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (22:32, 11%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (95:105, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (95:104, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:144, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:93, 10%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:118, 10%) - rules_building_block/lateral_movement_at.toml (43:54, 15%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (103:114, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (75:86, 12%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (40:51, 19%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:106, 10%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:175, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (81:91, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:129, 6%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:117, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/discovery_posh_password_policy.toml (108:117, 9%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:92, 9%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:135, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:111, 10%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:81, 13%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:63, 17%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:87, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (88:97, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:106, 9%) - rules_building_block/discovery_posh_generic.toml (289:298, 3%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (26:36, 10%) - rules_building_block/discovery_net_view.toml (52:62, 9%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (33:43, 8%) 10 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:112, 10%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:57, 19%) 10 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:96, 12%) - rules_building_block/discovery_windows_system_information_discovery.toml (59:70, 15%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (105:115, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (51:62, 11%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (100:111, 10%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:124, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:96, 11%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (102:113, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (71:82, 13%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:135, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:120, 9%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/collection_posh_compression.toml (125:136, 8%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (74:83, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (76:85, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (76:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (60:69, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (71:80, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (141:150, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:119, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:89, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (77:86, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:53, 10%) - rules_building_block/discovery_security_software_wmic.toml (41:50, 10%) 9 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (39:48, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (69:78, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (33:42, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (60:68, 9%) - rules_building_block/discovery_net_view.toml (54:62, 8%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:57, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:49, 9%) 9 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (95:104, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (68:77, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (123:133, 7%) - rules_building_block/discovery_generic_account_groups.toml (76:86, 9%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (112:121, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (85:94, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (57:66, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:49, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (78:87, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/discovery_admin_recon.toml (51:60, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:49, 9%) 9 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (32:41, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (83:92, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (12:22, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:26, 6%) 9 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (84:93, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (77:86, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (57:66, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:47, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (78:87, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (97:105, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:129, 6%) 9 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (59:68, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (44:53, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (125:137, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:79, 12%) 9 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (69:78, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (90:98, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:129, 6%) 9 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (86:95, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (76:86, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (113:122, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (72:82, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (83:93, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:59, 12%) 9 duplicated lines in: - rules/windows/discovery_admin_recon.toml (51:60, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:47, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (70:79, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (68:77, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (92:101, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (72:81, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (80:89, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (83:92, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (91:100, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (82:91, 5%) - rules_building_block/discovery_security_software_wmic.toml (41:50, 10%) 9 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (94:103, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (78:87, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:57, 9%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:47, 9%) 9 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (81:90, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (130:139, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (67:77, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (30:38, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (95:103, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:129, 6%) 9 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (47:55, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (49:57, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (94:102, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:129, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (87:96, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (51:60, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (87:96, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (83:93, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:90, 9%) 9 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (50:59, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (53:62, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (30:39, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (123:133, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (56:66, 12%) 9 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (70:79, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (50:59, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (81:90, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (76:85, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (44:53, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (83:91, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:129, 6%) 9 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (33:42, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (87:96, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (64:73, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (125:134, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:128, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (69:78, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:114, 6%) 9 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (128:136, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (73:81, 8%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (56:65, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (33:42, 12%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (129:138, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (145:154, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (137:144, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (46:53, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (111:118, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (72:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (84:91, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (128:136, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (51:58, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (90:99, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (145:153, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (71:78, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (74:81, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:34, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (24:31, 9%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (133:141, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (88:96, 9%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (129:138, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/azure/credential_access_key_vault_modified.toml (78:87, 10%) - rules_building_block/credential_access_win_private_key_access.toml (74:83, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (87:96, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:147, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (132:141, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (133:143, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (181:190, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (45:54, 12%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (67:74, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (103:111, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:30, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:34, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (123:132, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (56:65, 9%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:91, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (76:85, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (48:55, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (73:83, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (93:103, 8%) - rules_building_block/discovery_net_view.toml (91:101, 7%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (61:70, 12%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (132:141, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (63:70, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (103:111, 7%) - rules_building_block/collection_outlook_email_archive.toml (57:64, 12%) 8 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (106:114, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:94, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml (83:92, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (9:18, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:16, 5%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (57:65, 7%) - rules_building_block/discovery_security_software_wmic.toml (41:49, 9%) 8 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (68:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (118:126, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (85:93, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:134, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (92:101, 9%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (77:84, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (102:110, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (111:121, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (198:205, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (132:140, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (92:101, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (69:76, 7%) - rules_building_block/discovery_security_software_wmic.toml (53:60, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (71:78, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml (81:92, 10%) - rules_building_block/discovery_capnetraw_capability.toml (67:78, 10%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (147:156, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (127:134, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (65:72, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (45:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (72:79, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:42, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:34, 11%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/_deprecated/discovery_file_dir_discovery.toml (85:94, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (91:100, 8%) 8 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (72:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (118:128, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (139:148, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (143:151, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (44:53, 17%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:94, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (72:79, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (125:134, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (63:70, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (137:146, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (79:88, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (125:134, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (104:111, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (150:160, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (35:42, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (72:81, 10%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (78:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (154:161, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:56, 6%) 8 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (123:133, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (90:99, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (69:76, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (109:116, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (121:129, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (78:85, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (124:131, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (37:44, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (73:80, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (69:78, 11%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (70:77, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (22:30, 8%) - rules_building_block/discovery_net_view.toml (52:60, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (27:35, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (29:37, 15%) 8 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (126:134, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (54:63, 14%) 8 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (88:96, 9%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (98:107, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (30:38, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (64:71, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (32:40, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (66:73, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (107:116, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (91:100, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (138:145, 4%) - rules_building_block/discovery_posh_generic.toml (205:212, 2%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (105:114, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (100:110, 8%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:134, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (125:134, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (66:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (142:152, 6%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (48:55, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (136:146, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (145:154, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (98:107, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (43:52, 17%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (65:74, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (106:114, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:173, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (73:82, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/cross-platform/credential_access_forced_authentication_pipes.toml (31:38, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml (103:113, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (125:134, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (46:53, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (91:100, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (45:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (138:145, 4%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:69, 11%) 8 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (38:45, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (94:102, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (114:122, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/discovery_posh_generic.toml (291:298, 2%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (127:134, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (19:27, 8%) - rules_building_block/discovery_net_view.toml (52:60, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (104:114, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (109:118, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (176:186, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (108:118, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:96, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (100:109, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (29:37, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (94:102, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (142:152, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (71:80, 11%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:53, 15%) 8 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (113:121, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (69:76, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (121:128, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (3:11, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (3:11, 8%) 8 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (64:72, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (46:53, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (102:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml (99:108, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (74:83, 6%) 8 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (60:68, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (104:113, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:79, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:86, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (89:99, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (121:128, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (98:106, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (96:104, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (171:181, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (114:124, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (103:110, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml (99:108, 8%) - rules_building_block/collection_outlook_email_archive.toml (52:61, 12%) 8 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (59:67, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:147, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (86:95, 10%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (103:112, 8%) 8 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (38:45, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (84:91, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (150:160, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (73:82, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (154:164, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (109:117, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (118:126, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (59:66, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (161:169, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (103:111, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (92:101, 9%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (138:148, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (86:94, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (71:78, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (62:69, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (108:117, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (66:73, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (72:79, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml (87:96, 9%) - rules_building_block/collection_outlook_email_archive.toml (52:61, 12%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (66:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:94, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (46:53, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (127:137, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (102:111, 8%) 8 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (113:121, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (51:58, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (107:114, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (96:105, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (129:139, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (131:138, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (89:98, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (116:123, 6%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml (87:96, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (169:179, 5%) - rules_building_block/discovery_security_software_wmic.toml (93:102, 9%) 8 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (110:119, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (106:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (145:152, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (47:54, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:59, 6%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (103:112, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (87:94, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:90, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (108:117, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (37:44, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (32:40, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (130:140, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_getconf_execution.toml (45:53, 16%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (65:74, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (86:95, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:135, 5%) 8 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (150:159, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml (82:91, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (71:78, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:32, 13%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:56, 8%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml (99:108, 8%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (43:52, 14%) 8 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (104:112, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (95:104, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (142:152, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (143:150, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (128:137, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:62, 11%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (69:76, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (88:98, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (68:76, 11%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (107:116, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (181:191, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (104:113, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (118:128, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml (121:131, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (79:88, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (115:122, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (95:104, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (48:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:59, 6%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (91:100, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (89:96, 9%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (75:82, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (75:82, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (86:93, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (98:106, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:56, 8%) - rules_building_block/discovery_security_software_wmic.toml (41:49, 9%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (105:114, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:96, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (75:82, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (35:42, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (173:183, 5%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (138:148, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:106, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (100:110, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (86:95, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (65:72, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (92:100, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:90, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (67:75, 11%) 8 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:96, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (93:101, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (91:101, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (114:122, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (150:159, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (104:112, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (35:42, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml (97:106, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/discovery_posh_password_policy.toml (110:117, 7%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (128:135, 6%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:69, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (37:44, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (94:104, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (98:107, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (120:127, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (90:99, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_security_software_wmic.toml (41:49, 9%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (80:87, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (120:127, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (69:76, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (105:114, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (98:107, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:89, 8%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (72:79, 4%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (90:97, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (148:157, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml (80:89, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (122:130, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (105:113, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (80:87, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (169:179, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (73:82, 10%) 8 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (114:124, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (308:317, 2%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (146:154, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (72:82, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (68:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:94, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (70:79, 10%) 8 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (145:152, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (202:209, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:88, 8%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (113:123, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (124:133, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (106:114, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (98:107, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (82:90, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:46, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (46:53, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (89:98, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (82:90, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:48, 8%) 8 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (59:66, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (90:99, 9%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (49:58, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (77:84, 6%) - rules_building_block/discovery_security_software_wmic.toml (53:60, 9%) 8 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (37:44, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:134, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (42:51, 14%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml (82:91, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (102:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (128:135, 6%) - rules_building_block/discovery_generic_account_groups.toml (82:89, 8%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (138:145, 4%) - rules_building_block/discovery_generic_account_groups.toml (82:89, 8%) 8 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (62:69, 9%) - rules_building_block/discovery_security_software_wmic.toml (53:60, 9%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (127:137, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (194:203, 4%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (169:179, 5%) - rules_building_block/execution_wmi_wbemtest.toml (45:54, 16%) 8 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (69:77, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (94:104, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_sqs_purge_queue.toml (131:140, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (72:79, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (85:93, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (3:11, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (3:11, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:94, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (50:59, 12%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (99:109, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (108:117, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (114:124, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (63:70, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml (80:89, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (35:42, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (108:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (107:114, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (118:128, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (67:74, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (107:116, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (82:90, 4%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (70:77, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (72:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:32, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (122:132, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (109:118, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (179:188, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (262:272, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml (68:77, 11%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (132:140, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (75:82, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (168:175, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (51:58, 12%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/collection_posh_compression.toml (128:136, 6%) 8 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (73:83, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (70:77, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (131:138, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (68:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (138:147, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (125:134, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (147:154, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (112:120, 7%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:196, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (35:42, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (103:111, 8%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (94:102, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (46:53, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (102:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml (80:89, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (103:111, 8%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:86, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:96, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (87:94, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml (88:97, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (51:58, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (262:272, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (45:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (94:101, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (3:11, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (3:11, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (127:136, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (72:82, 9%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (131:139, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (90:97, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (124:133, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:173, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (130:140, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (130:137, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (102:111, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (118:128, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (79:89, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (120:128, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (46:53, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (75:84, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (154:164, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (109:116, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (108:116, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (43:50, 9%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (121:129, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (167:176, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (72:79, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (136:144, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (43:50, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (133:140, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (55:62, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (156:163, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (86:93, 8%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (57:65, 7%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:48, 8%) 8 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:135, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:34, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:29, 12%) 8 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (127:135, 6%) - rules_building_block/discovery_posh_generic.toml (254:262, 2%) 8 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (163:172, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (57:66, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:46, 8%) 8 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (36:43, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (127:137, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (70:79, 11%) 8 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (49:56, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:59, 6%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (82:89, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (51:59, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (98:107, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (78:85, 6%) - rules_building_block/discovery_net_view.toml (59:66, 7%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (118:126, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (183:193, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (136:146, 6%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:91, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (51:60, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (72:79, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (90:99, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (95:103, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:57, 8%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml (41:50, 18%) - rules_building_block/collection_common_compressed_archived_file.toml (123:132, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml (71:80, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (137:145, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (66:73, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (51:59, 7%) - rules_building_block/discovery_security_software_wmic.toml (41:49, 9%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (46:53, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (46:53, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (76:83, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (63:70, 7%) - rules_building_block/discovery_security_software_wmic.toml (53:60, 9%) 8 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (133:142, 6%) - rules_building_block/discovery_posh_generic.toml (213:222, 2%) 8 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (75:84, 11%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:62, 11%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (74:81, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (113:122, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (51:59, 7%) - rules_building_block/discovery_net_view.toml (38:46, 7%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:46, 14%) 8 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (85:94, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (87:96, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:34, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (30:37, 9%) 8 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (110:118, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (148:155, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (46:53, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (49:56, 11%) 8 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (183:190, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (51:58, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:138, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (83:92, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:48, 8%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (113:121, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (102:111, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:62, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (103:113, 7%) - rules_building_block/discovery_net_view.toml (91:101, 7%) 8 duplicated lines in: - rules/_deprecated/persistence_kernel_module_activity.toml (33:42, 17%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml (83:92, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:76, 9%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (84:94, 10%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (65:72, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (82:92, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:128, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (72:79, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (62:70, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (136:146, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:117, 8%) 8 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:94, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (114:122, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (72:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (61:68, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (38:45, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (74:84, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (65:73, 10%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (125:134, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:134, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (50:59, 12%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (43:50, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:124, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (185:195, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (64:72, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (104:113, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (105:114, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (104:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (51:58, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (116:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (110:117, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (122:132, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (74:81, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (33:41, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (127:136, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (77:84, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (92:101, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (99:106, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (63:70, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:130, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (162:171, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (76:85, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:53, 15%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (108:117, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (74:81, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml (40:49, 19%) - rules_building_block/collection_common_compressed_archived_file.toml (123:132, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (96:106, 9%) - rules_building_block/lateral_movement_at.toml (66:76, 12%) 8 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (104:112, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml (79:88, 9%) - rules_building_block/credential_access_win_private_key_access.toml (74:83, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (112:119, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (72:79, 9%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (124:131, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:112, 5%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (148:157, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (112:119, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (111:121, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (69:79, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (185:195, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:125, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:135, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (174:181, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (98:106, 6%) 8 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (214:222, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (42:49, 16%) 8 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (105:113, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (131:140, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (53:62, 11%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:46, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (128:135, 6%) - rules_building_block/discovery_posh_generic.toml (205:212, 2%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (108:118, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (34:45, 15%) - rules_building_block/discovery_capnetraw_capability.toml (67:78, 10%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (102:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:45, 14%) 8 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (100:108, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 8 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (49:56, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (122:129, 5%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (112:120, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (88:97, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml (68:77, 11%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:44, 17%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:185, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (37:44, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (116:124, 6%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (48:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (38:45, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (159:166, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 7 duplicated lines in: - rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml (22:28, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:125, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:133, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (70:76, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:31, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:27, 15%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (87:93, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:140, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (42:50, 12%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (127:133, 4%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (68:74, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (120:126, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (93:99, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (3:10, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (300:308, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (83:91, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (105:111, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:125, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml (109:117, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (107:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (144:150, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (61:67, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (65:72, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (101:107, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (129:137, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (3:10, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (80:88, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (25:31, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (36:42, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (34:40, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml (102:110, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (29:35, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (37:43, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (87:93, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (95:102, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (100:106, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (89:96, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudtrail_logging_updated.toml (15:21, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (97:103, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (3:10, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (3:10, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:90, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:131, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (101:107, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (73:79, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (127:136, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (70:76, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (93:99, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (85:91, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (96:103, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:110, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (88:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:126, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (63:71, 9%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml (102:110, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (121:127, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (163:169, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (119:125, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:28, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (91:98, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:109, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:26, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (150:159, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (110:116, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (141:147, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (70:76, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:171, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:172, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (112:118, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (120:126, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:93, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (53:61, 11%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_cmstp_execution.toml (4:11, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (80:88, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (46:52, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:34, 18%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (149:155, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (127:136, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (101:107, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_gpo_schtask_service_creation.toml (103:109, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (60:68, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (84:90, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (110:116, 5%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:112, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (127:133, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (27:34, 7%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (172:178, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (97:103, 6%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (101:107, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:137, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (195:201, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:32, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (116:122, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (122:128, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (182:188, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (112:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:97, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (94:100, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (106:112, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:169, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml (97:103, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (92:98, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:105, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:33, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (79:87, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (139:145, 4%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (125:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (3:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (4:11, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (158:164, 4%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (3:10, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (161:169, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (120:128, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (101:107, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (89:95, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (60:67, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_export.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (94:100, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (95:101, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:176, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (84:90, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (97:103, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:120, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (111:117, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (88:94, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (101:107, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (86:92, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (42:48, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (84:91, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (103:109, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (50:57, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:140, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (187:195, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (184:192, 3%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:125, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:90, 7%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (215:223, 3%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (42:51, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (27:36, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (145:151, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (19:25, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (95:101, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (74:80, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (3:10, 15%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (111:117, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (34:40, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (4:11, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (106:112, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (100:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (136:142, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (3:10, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (95:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (118:124, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (32:38, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:157, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (85:92, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (55:62, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:163, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (35:44, 7%) - rules_building_block/discovery_security_software_wmic.toml (37:46, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (93:101, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:84, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (15:21, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml (81:89, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (63:71, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (71:77, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (101:109, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (162:168, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:76, 7%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:151, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (178:184, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:103, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (137:143, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (179:185, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:101, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:25, 9%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:27, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:164, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml (92:98, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:25, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:27, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (150:156, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml (84:92, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (134:142, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (89:95, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:133, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (67:73, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (114:122, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (42:51, 6%) - rules_building_block/discovery_security_software_wmic.toml (30:39, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (18:24, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (137:143, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (153:162, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/execution_initial_access_foxmail_exploit.toml (102:108, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (124:132, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (113:119, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:146, 5%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (47:55, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (100:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (120:128, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:205, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (120:128, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:108, 7%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:48, 12%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (103:109, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (103:109, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (167:173, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml (81:89, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:124, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:140, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (50:58, 11%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (117:124, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (67:74, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml (71:79, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (88:94, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (141:147, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:156, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (70:76, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (103:109, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (84:90, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (3:10, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (86:92, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:205, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (166:172, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:146, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (120:126, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:135, 5%) 7 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (118:124, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (191:197, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (121:127, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (107:113, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (152:160, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (102:110, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml (117:123, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (96:102, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:151, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (101:109, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (103:109, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (75:83, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (84:92, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:205, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (305:313, 2%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:103, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:111, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:123, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (163:169, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (138:144, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (136:142, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:89, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (124:130, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (34:40, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:92, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/network/command_and_control_cobalt_strike_beacon.toml (80:88, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:121, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (96:102, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (116:124, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (180:189, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (4:11, 7%) - rules_building_block/collection_posh_compression.toml (5:13, 5%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml (81:89, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml (41:47, 14%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (166:174, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:117, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (122:130, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml (81:89, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:53, 12%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (139:145, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:110, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (146:152, 4%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/_deprecated/command_and_control_smtp_to_the_internet.toml (57:63, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (62:69, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (88:94, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (4:11, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (76:82, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:31, 11%) 7 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (87:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (102:109, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/collection_outlook_email_archive.toml (3:10, 10%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (113:120, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (141:147, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml (20:26, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:169, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (31:37, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (99:105, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (88:94, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (98:104, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (113:119, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/command_and_control_smtp_to_the_internet.toml (57:63, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (97:103, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (127:133, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:187, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:28, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (22:28, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:147, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (87:95, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (101:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (25:31, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (35:41, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:34, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_rds_instance_restored.toml (86:92, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (50:56, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (68:74, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (60:68, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (85:91, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:120, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (192:200, 3%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (112:120, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (93:99, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (127:135, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:157, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (100:106, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:125, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (24:30, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (3:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (147:153, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (82:88, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (84:91, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (89:95, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml (101:110, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (82:88, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (102:109, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml (78:87, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (139:145, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/impact_backup_file_deletion.toml (65:72, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (34:40, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (83:89, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (107:114, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (36:45, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/lateral_movement_wmic_remote.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (93:100, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (28:35, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (3:10, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (112:119, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (112:118, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/execution_wmi_wbemtest.toml (3:10, 14%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (93:100, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (85:92, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (95:103, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (72:80, 8%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (46:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml (79:85, 9%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (101:107, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (127:136, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (96:104, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (119:127, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (95:103, 6%) - rules_building_block/discovery_of_domain_groups.toml (41:49, 14%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (74:81, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:178, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (121:127, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml (109:117, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (114:120, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (245:253, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (139:145, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (152:158, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (98:104, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (103:109, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:110, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (22:29, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (128:134, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml (77:85, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:83, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:151, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudtrail_logging_updated.toml (15:21, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (148:154, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:111, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (22:29, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (139:145, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (63:71, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (51:59, 9%) 7 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (19:25, 5%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml (85:93, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (123:129, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:124, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (97:103, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (66:74, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (89:97, 6%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (118:124, 5%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (83:90, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (89:96, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:155, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (113:121, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:146, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (3:10, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (4:11, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (138:144, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (83:89, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (65:71, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:37, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (34:40, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (109:115, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (110:116, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:74, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:63, 7%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (147:153, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml (104:112, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (93:101, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (60:66, 8%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (27:33, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (99:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (3:10, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (81:88, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml (97:103, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (91:97, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (27:33, 6%) - rules_building_block/lateral_movement_at.toml (24:30, 10%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (34:40, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (28:34, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:34, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (3:10, 7%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (48:54, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:55, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (80:89, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:114, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:29, 3%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (121:127, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (93:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (36:45, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (27:36, 7%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (50:56, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (44:50, 9%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:138, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (120:126, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (93:101, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (70:78, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (126:132, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (126:132, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (3:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (87:93, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:29, 8%) - rules_building_block/discovery_capnetraw_capability.toml (51:57, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (136:142, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (3:10, 8%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (182:190, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (85:93, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (166:172, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (115:121, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (82:88, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (52:58, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (90:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (84:90, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (96:103, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml (61:67, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (84:90, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (3:10, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (3:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (42:48, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (115:121, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (116:124, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (116:123, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (119:127, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (15:21, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (132:138, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml (123:129, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:121, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:139, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (102:108, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:31, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (22:28, 13%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (153:162, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml (30:38, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (48:56, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (150:157, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (182:188, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (41:47, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (77:84, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (93:101, 7%) - rules_building_block/discovery_hosts_file_access.toml (40:48, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (3:10, 7%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (3:10, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:151, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (149:156, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (3:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_timestomp_sysmon.toml (94:100, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (3:10, 9%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (81:87, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (116:124, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:109, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (245:253, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (100:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml (77:85, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:143, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (3:10, 5%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (113:119, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (34:40, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:111, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (3:10, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:97, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_timestomp_sysmon.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (113:119, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:171, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (100:108, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (140:146, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (88:94, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (129:135, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (137:145, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml (19:25, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/discovery_generic_process_discovery.toml (4:11, 12%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (94:101, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (90:96, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (122:128, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (90:96, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (44:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:56, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (91:97, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (95:103, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (57:64, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (80:88, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (99:107, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (51:58, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (55:62, 8%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (103:109, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:126, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (3:10, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (3:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (179:185, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (3:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (95:103, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (43:49, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (3:10, 15%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (86:92, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (127:133, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (113:121, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (87:93, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (94:100, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (125:133, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (99:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/command_and_control_outlook_home_page.toml (92:99, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (94:102, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (105:111, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (18:24, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/execution_initial_access_wps_dll_exploit.toml (99:105, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (107:113, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (32:38, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:67, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (61:68, 8%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (156:162, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (85:93, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (159:165, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml (92:100, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:58, 11%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:159, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (19:25, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (110:118, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (126:132, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (110:116, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (3:10, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (105:111, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (29:35, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (35:44, 7%) - rules_building_block/discovery_net_view.toml (34:43, 6%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (95:103, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml (101:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:130, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/persistence_sysmon_wmi_event_subscription.toml (85:91, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:129, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/command_and_control_outlook_home_page.toml (92:99, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (112:118, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (181:187, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (132:138, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (91:97, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (43:49, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (86:92, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (133:139, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (23:30, 7%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (90:96, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (132:138, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (155:162, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (34:40, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (84:90, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (94:101, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (195:201, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (83:90, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (172:178, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (152:158, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (113:121, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:110, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (75:83, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (93:100, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:124, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (41:47, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:25, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (166:172, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (158:164, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_rogue_windir_environment_var.toml (94:100, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (101:107, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (44:51, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (99:107, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (141:150, 4%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:125, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (34:40, 6%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (97:103, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:27, 12%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:151, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:132, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (101:107, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (23:29, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (95:101, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (110:116, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (135:141, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (50:56, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (38:44, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:337, 2%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (120:126, 6%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (97:103, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (25:31, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (56:63, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:74, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (32:38, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (53:59, 5%) - rules_building_block/discovery_net_view.toml (41:47, 6%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:154, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml (60:66, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (126:132, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:110, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (116:122, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (107:114, 4%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (122:128, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (85:93, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:187, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (164:172, 3%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (96:104, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (100:106, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_via_bits_job_notify_command.toml (81:89, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (72:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (92:98, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (93:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:96, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (119:125, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (89:95, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (105:112, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (67:74, 6%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (86:93, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (26:33, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:92, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (118:124, 6%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (98:104, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (100:107, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:131, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (101:107, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (95:103, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (133:139, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (110:116, 5%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:39, 17%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (60:68, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (132:140, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (117:123, 5%) - rules_building_block/discovery_posh_generic.toml (202:209, 2%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (107:113, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (82:89, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:98, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml (64:70, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:103, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (134:140, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (132:138, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (126:132, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:122, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (19:26, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (167:173, 4%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:154, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (99:107, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (21:28, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (100:106, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (116:122, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:92, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (89:95, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (93:101, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (90:96, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (122:128, 4%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/_deprecated/discovery_whoami_commmand.toml (33:41, 17%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (142:148, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/lateral_movement_at.toml (3:10, 10%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (115:123, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (55:61, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (97:104, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (122:130, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (82:88, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:153, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_acl_modification_via_setfacl.toml (81:89, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (100:106, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (113:119, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:143, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (83:92, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (120:126, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (24:31, 8%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (39:46, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (53:60, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (121:127, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (287:295, 2%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (141:147, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:164, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (66:72, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (106:112, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:105, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (129:135, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (142:148, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml (80:88, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (19:25, 5%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (73:80, 6%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (71:77, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (3:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (74:81, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:41, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (73:79, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (87:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (116:124, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (105:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (95:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:149, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:122, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (113:121, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (100:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (42:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (161:167, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (34:40, 15%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:34, 18%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (99:107, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (46:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (321:327, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (87:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (94:100, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (3:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (3:10, 5%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (114:122, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (88:94, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (166:172, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (3:10, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (4:11, 13%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (77:83, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (246:254, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (89:96, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:68, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:63, 7%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (123:129, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (27:33, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:139, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (27:34, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (73:81, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (161:169, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (27:34, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (81:88, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (88:94, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (23:29, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (165:173, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (96:105, 6%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (73:79, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (20:27, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (117:123, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (108:114, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (106:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (128:136, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:38, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (103:109, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (114:120, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (46:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (49:55, 9%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:106, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (101:107, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:28, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:124, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (132:138, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:82, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (34:40, 15%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml (85:93, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (138:144, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (119:127, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (97:103, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (86:94, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (95:101, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (18:24, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml (113:119, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:103, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (107:113, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (132:140, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (70:78, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (29:35, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (105:111, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (122:128, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (13:19, 6%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (15:21, 9%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (90:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (120:127, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (84:90, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (109:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (87:93, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (32:38, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (111:117, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml (79:87, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (126:132, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (39:45, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (132:138, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (20:26, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (125:133, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (47:53, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (116:122, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (168:174, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (3:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (79:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:163, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (3:10, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (79:86, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (88:96, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (104:113, 5%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (153:162, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml (77:85, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (36:42, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (26:32, 13%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (46:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/azure/collection_update_event_hub_auth_rule.toml (87:93, 8%) - rules_building_block/collection_posh_compression.toml (120:128, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (74:82, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (113:121, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml (69:77, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (3:10, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (8:16, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (120:126, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (166:172, 4%) - rules_building_block/collection_posh_compression.toml (120:128, 5%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (58:64, 7%) - rules_building_block/discovery_posh_password_policy.toml (41:47, 6%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (97:103, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (89:95, 8%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:133, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:125, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (86:92, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml (107:113, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (123:129, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (26:33, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:111, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (4:11, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (75:83, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (51:59, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (118:124, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (146:154, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (113:121, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (79:86, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:41, 10%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (124:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (134:142, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (236:242, 3%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (147:155, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (95:101, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:123, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (179:185, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (111:117, 3%) - rules_building_block/discovery_security_software_wmic.toml (52:58, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (93:99, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/_deprecated/execution_linux_process_started_in_temp_directory.toml (38:47, 16%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (152:159, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (195:201, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (93:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (116:122, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (100:107, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:113, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (3:10, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (152:159, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (96:104, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (73:79, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (111:117, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (79:86, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (96:103, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (137:143, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:95, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (131:137, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml (138:144, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (3:10, 12%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (123:129, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (107:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (121:127, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (74:80, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (111:117, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (35:44, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (36:45, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (46:53, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:131, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (124:132, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml (20:26, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (4:11, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (25:31, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (104:110, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (100:106, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (111:117, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (68:74, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (149:156, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (147:153, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (148:156, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (97:103, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (120:126, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:121, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (101:107, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (91:97, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (30:36, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:205, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:123, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (95:102, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (88:94, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (119:125, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (110:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:248, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (101:107, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (92:98, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (123:129, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (116:122, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:89, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (20:26, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/execution_initial_access_foxmail_exploit.toml (102:108, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (73:79, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (100:106, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:166, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml (103:111, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (44:50, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:132, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (129:137, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (104:112, 5%) - rules_building_block/discovery_internet_capabilities.toml (39:47, 12%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (119:125, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (216:222, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml (60:66, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (3:10, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (88:94, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (82:88, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (23:30, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (95:101, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (120:128, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (27:33, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (117:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:125, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (91:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (122:128, 4%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (23:29, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (71:78, 3%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (93:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (84:90, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:110, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:144, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (132:138, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (95:101, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (123:129, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (45:51, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:55, 5%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:106, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (140:148, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:151, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (107:113, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (97:105, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:82, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:63, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (17:23, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (123:129, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (81:88, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (141:147, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (117:123, 6%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (123:131, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (22:29, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (94:100, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (131:137, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:200, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (137:143, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (179:185, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (166:172, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (163:169, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (121:128, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (3:10, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (3:10, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (120:126, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (49:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:55, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:70, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (30:36, 8%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (150:156, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (27:34, 6%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (73:80, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:124, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_suppression_rule_created.toml (79:87, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (122:128, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (97:104, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (131:137, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (59:65, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (127:133, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (103:111, 6%) - rules_building_block/discovery_hosts_file_access.toml (40:48, 14%) 7 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (92:99, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:121, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (161:169, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (195:201, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (110:118, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (99:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:41, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (3:10, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (112:118, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (28:34, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (22:28, 7%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (51:58, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (24:30, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:98, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_net_view.toml (34:43, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (111:117, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (140:148, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (43:49, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (122:130, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (51:58, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (185:191, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (118:124, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (27:33, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (30:36, 9%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (123:131, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml (81:87, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:146, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (70:78, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (4:11, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (92:98, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (305:313, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (164:172, 3%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (120:126, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (109:115, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (61:68, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (110:116, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:136, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (3:10, 12%) 7 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:95, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (161:169, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (44:51, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (109:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (88:94, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (109:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (112:118, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (64:71, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (28:35, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (96:103, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (42:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (88:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (141:149, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (169:175, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (87:95, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (72:78, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (123:129, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:131, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (110:116, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (138:144, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:107, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (3:10, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (102:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (88:94, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (124:130, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (50:57, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (117:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (34:40, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (150:156, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (133:139, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (77:83, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (3:10, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (91:97, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:89, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (3:10, 10%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (97:103, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_export.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (104:110, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (87:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (85:93, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (46:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml (110:116, 5%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (123:131, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:54, 12%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (92:99, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml (95:101, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:70, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (24:30, 8%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (75:81, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml (107:113, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (115:123, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:32, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (94:100, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (24:30, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (83:90, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (119:125, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (216:222, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml (102:110, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:157, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (32:38, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:136, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/lateral_movement_at.toml (3:10, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (128:134, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:89, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (161:167, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (127:133, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (134:142, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (124:130, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (22:29, 7%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (121:127, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:148, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (119:126, 4%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (93:100, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (233:241, 3%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (89:96, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (102:109, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:110, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (104:110, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (73:81, 7%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml (81:89, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:101, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (106:112, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/lateral_movement_at.toml (3:10, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:178, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (103:109, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (3:10, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (107:113, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (32:38, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (80:86, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:31, 12%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (81:87, 8%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:151, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:163, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (26:33, 5%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (76:82, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (111:117, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (115:121, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (21:28, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml (104:112, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (91:97, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (3:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml (66:74, 11%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (29:35, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (105:111, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:157, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:29, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (35:44, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (34:43, 7%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (115:121, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (148:154, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (50:56, 7%) - rules_building_block/discovery_posh_password_policy.toml (40:46, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml (53:60, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (90:96, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (3:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (86:94, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (27:33, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (23:29, 11%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (120:126, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (29:35, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml (102:110, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (24:30, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (116:122, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (95:101, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:178, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (114:120, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (30:36, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (30:36, 8%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (114:122, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (140:148, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (17:23, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml (97:103, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (69:76, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (166:172, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_rds_instance_restored.toml (32:38, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:38, 11%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (84:90, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (148:154, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (128:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml (3:10, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (4:11, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (119:125, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml (76:84, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (59:65, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:129, 4%) 7 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:145, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (100:106, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (168:174, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (88:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (51:59, 8%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (148:154, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (129:135, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (139:145, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (77:83, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (96:102, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:54, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:103, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (91:97, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (150:156, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (85:92, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:41, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (15:21, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (143:149, 4%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:138, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (133:139, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_cloudtrail_logging_created.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (18:24, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (80:87, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml (53:60, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (47:53, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:151, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (118:124, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (26:33, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml (95:101, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:109, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (93:99, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (126:132, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (66:72, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:56, 5%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (101:107, 6%) - rules_building_block/collection_posh_compression.toml (120:128, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (131:138, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (59:65, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (233:241, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (46:54, 11%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:200, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (71:78, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:95, 6%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (101:109, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:172, 4%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:109, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (95:101, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (111:117, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (149:155, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:89, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (111:117, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (321:327, 2%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (166:172, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (157:163, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (125:132, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (145:151, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (98:104, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (65:73, 8%) - rules_building_block/persistence_startup_folder_lnk.toml (46:54, 11%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (100:106, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (76:83, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_browser_extension_install.toml (29:35, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (116:122, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (108:114, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (107:113, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (122:128, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:205, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml (85:93, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (28:37, 15%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (42:51, 6%) - rules_building_block/discovery_net_view.toml (27:36, 6%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml (22:28, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (101:107, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (3:10, 7%) - rules_building_block/discovery_net_view.toml (4:11, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (99:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (93:99, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (99:105, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (95:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (132:138, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (132:138, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_shell_profile_modification.toml (90:96, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (140:148, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (107:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:137, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/discovery_security_software_wmic.toml (4:11, 8%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml (92:98, 7%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (95:101, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (86:92, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (46:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (111:119, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (133:139, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:178, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/network/command_and_control_halfbaked_beacon.toml (78:86, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (127:133, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:125, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (249:255, 3%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (81:87, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (103:109, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (75:83, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (131:139, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (103:109, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (100:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (24:31, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:193, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (93:99, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (47:53, 5%) - rules_building_block/discovery_capnetraw_capability.toml (49:55, 9%) 7 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (151:157, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (162:170, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (85:92, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (98:104, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/azure/collection_update_event_hub_auth_rule.toml (87:93, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (122:128, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (123:131, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (166:172, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (130:136, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (31:37, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (115:121, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (21:29, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (99:105, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (123:129, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (88:94, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (100:106, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (127:135, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (120:126, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml (77:84, 9%) - rules_building_block/credential_access_win_private_key_access.toml (74:82, 8%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:111, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:27, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (85:91, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:104, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml (117:123, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (71:77, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (39:45, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (26:32, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/network/command_and_control_port_26_activity.toml (78:84, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (146:152, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (83:90, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:41, 10%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_services_exe_path.toml (3:10, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (88:94, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (88:96, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (82:89, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (114:120, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:146, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (65:73, 8%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (155:161, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:68, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (159:165, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:87, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (29:35, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:70, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:28, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (109:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (155:161, 4%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (199:205, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (68:74, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:140, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (99:105, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (180:189, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml (69:77, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:111, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (120:128, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (97:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (23:30, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_gpo_schtask_service_creation.toml (99:105, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_initial_access_wps_dll_exploit.toml (99:105, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (111:117, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (139:145, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (3:10, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (145:151, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (199:205, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:56, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (80:86, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:128, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:126, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:154, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (102:110, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (147:153, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_security_software_wmic.toml (87:93, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (61:67, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:95, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (161:167, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (110:116, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (103:109, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (103:109, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml (85:93, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:34, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:38, 11%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (101:109, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (36:45, 6%) - rules_building_block/discovery_net_view.toml (27:36, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (161:167, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (85:91, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (101:107, 7%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (122:130, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:218, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (99:105, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (90:98, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:163, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (93:101, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_at.toml (51:57, 10%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (107:113, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (185:191, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (93:99, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (143:149, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (122:129, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:131, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (120:126, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (108:116, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (86:93, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:67, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:63, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:100, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:30, 9%) - rules_building_block/discovery_capnetraw_capability.toml (51:57, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (182:188, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:92, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml (66:74, 11%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (109:117, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (111:117, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:337, 2%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (4:11, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (126:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (97:105, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (79:85, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (121:128, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (136:142, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (83:89, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (85:91, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (44:50, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (130:137, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml (84:92, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:85, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (3:10, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (87:93, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (109:117, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (3:10, 10%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (3:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (137:143, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (99:105, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml (61:67, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (80:86, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (102:108, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (54:60, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (101:107, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (161:167, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:138, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (114:120, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (251:259, 3%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml (71:79, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml (84:90, 8%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:162, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (122:128, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (95:101, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (176:184, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:171, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (3:10, 12%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (125:133, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:121, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (94:100, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (104:112, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (131:139, 5%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (133:139, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (118:124, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (125:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (113:121, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:110, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (100:106, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:164, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (112:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:125, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:121, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (160:166, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (99:105, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (185:191, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (119:125, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (63:71, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (101:109, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:85, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (154:160, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_services_registry.toml (119:125, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (136:142, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (117:123, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:104, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (94:101, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:103, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (102:108, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:113, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (3:10, 5%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (100:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml (31:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (48:56, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (79:87, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (108:116, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:114, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:28, 7%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (94:100, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (3:10, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (102:108, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (122:128, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (26:32, 13%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (102:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (79:85, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:118, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (3:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (120:128, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (112:118, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml (81:89, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (124:132, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (153:161, 4%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:93, 7%) - rules_building_block/lateral_movement_at.toml (40:48, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (95:102, 6%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (116:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (140:146, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:125, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (105:113, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (3:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (114:120, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (84:90, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:109, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (36:45, 6%) - rules_building_block/discovery_security_software_wmic.toml (30:39, 8%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (101:107, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (83:89, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (101:107, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (124:130, 5%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (73:79, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (68:74, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (31:37, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (59:65, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:122, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (179:185, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (102:108, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (133:139, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:138, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:111, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (122:128, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (141:147, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (123:131, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:135, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (15:21, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (125:131, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (88:96, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:96, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (121:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (94:100, 7%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (88:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (48:56, 8%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (39:45, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (26:32, 13%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (156:164, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:128, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (110:116, 3%) - rules_building_block/discovery_net_view.toml (59:65, 6%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (45:51, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (132:138, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (79:86, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (139:145, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (110:116, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (4:11, 12%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (83:89, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (97:103, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (90:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:39, 17%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (118:124, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (127:133, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/network/command_and_control_port_26_activity.toml (78:84, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (106:112, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (106:112, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (73:79, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:37, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (3:10, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:205, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (59:65, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (104:110, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (81:88, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:41, 10%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (118:124, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (77:84, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (163:169, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_net_view.toml (107:113, 6%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (114:121, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (119:127, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (49:57, 12%) 7 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (107:113, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (4:11, 11%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (26:33, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (3:10, 5%) - rules_building_block/discovery_posh_password_policy.toml (3:10, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (131:137, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (119:127, 5%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (3:10, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (137:145, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:125, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:53, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (122:128, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (111:117, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (113:119, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:111, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (150:156, 4%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/network/command_and_control_fin7_c2_behavior.toml (41:49, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:151, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml (64:70, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (75:81, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:25, 9%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (102:109, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:146, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (152:159, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (140:146, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (118:124, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:164, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (126:132, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (264:272, 2%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (143:150, 4%) - rules_building_block/collection_posh_compression.toml (76:83, 5%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (117:125, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (190:196, 3%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (110:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (31:37, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (34:43, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (139:145, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:76, 7%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (145:151, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:171, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (89:95, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:60, 9%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (3:10, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (161:169, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (51:59, 9%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (35:43, 14%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (110:116, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml (59:65, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (156:162, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:98, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (3:10, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:146, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (50:58, 11%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (143:151, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (51:58, 7%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (46:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (132:140, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (121:127, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (3:10, 9%) - rules_building_block/discovery_net_share_discovery_winlog.toml (3:10, 11%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/aws/collection_cloudtrail_logging_created.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (113:119, 6%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (24:31, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:123, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (122:128, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:65, 10%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (10:18, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (99:105, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (74:80, 9%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (162:168, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (124:130, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (198:206, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (86:93, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (57:64, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:95, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (87:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:33, 6%) - rules_building_block/execution_wmi_wbemtest.toml (24:30, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (109:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (109:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (86:95, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (3:10, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_posh_generic.toml (284:291, 2%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:200, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (45:51, 13%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (115:121, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (44:50, 2%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/credential_access_win_private_key_access.toml (3:10, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:109, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (107:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (64:71, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (125:133, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (142:150, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (143:149, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (140:146, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (129:137, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (119:125, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (29:35, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:98, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:98, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:89, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:79, 9%) 7 duplicated lines in: - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml (103:111, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:34, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:27, 12%) 7 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (93:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 4%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:33, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:31, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (87:95, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (50:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_security_software_wmic.toml (37:46, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (123:129, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (99:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:116, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (102:109, 5%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (85:93, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (3:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (3:10, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (25:33, 17%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:123, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:98, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (132:140, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (140:148, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (84:90, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (93:101, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (50:58, 11%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:151, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (149:155, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (116:124, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (252:258, 2%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:119, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:164, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (98:104, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml (124:130, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml (85:93, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (67:75, 7%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (161:169, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (84:92, 8%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:166, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:65, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (127:133, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (89:96, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (70:76, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (25:31, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (146:152, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:109, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml (19:25, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (36:44, 12%) 7 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (138:146, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (159:165, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (91:97, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (91:97, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:73, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:135, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (119:125, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (89:95, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (28:34, 7%) - rules_building_block/credential_access_win_private_key_access.toml (27:33, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:114, 6%) 7 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (123:129, 5%) - rules_building_block/credential_access_win_private_key_access.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (109:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (145:151, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (97:103, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:89, 7%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (94:100, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (172:178, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (249:255, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (111:117, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:262, 2%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:89, 8%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:133, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:171, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:112, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (160:166, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (144:150, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:74, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (122:129, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (103:109, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (92:98, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (138:146, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:112, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:103, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (85:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:97, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (131:137, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (97:103, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (108:114, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (207:215, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (107:113, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (3:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (3:10, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:121, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (74:80, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:160, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:35, 5%) 7 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:175, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:82, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:100, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (69:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (105:111, 4%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:116, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (103:111, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (126:132, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (190:196, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (101:109, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (134:142, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (79:85, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (141:149, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (57:63, 5%) - rules_building_block/discovery_net_view.toml (41:47, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (26:33, 8%) - rules_building_block/discovery_net_view.toml (52:59, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_acl_modification_via_setfacl.toml (81:89, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:54, 12%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (25:33, 17%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:84, 7%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (37:45, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (141:147, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:68, 9%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (143:149, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:129, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:86, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:103, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:69, 10%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (104:110, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (102:110, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (64:71, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (100:106, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:86, 8%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:69, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (3:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (3:10, 12%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (41:47, 5%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (233:241, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:117, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (133:141, 5%) - rules_building_block/collection_posh_compression.toml (125:133, 5%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_posh_password_policy.toml (104:110, 6%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (3:10, 2%) - rules_building_block/defense_evasion_installutil_command_activity.toml (3:10, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (93:99, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:68, 8%) 7 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (57:64, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:56, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:45, 12%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (115:121, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (239:245, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (73:79, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:44, 14%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (289:295, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:144, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (137:145, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (43:51, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:127, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (105:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (68:73, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (114:119, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (62:67, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (95:100, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (110:116, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (109:114, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (106:111, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (87:92, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:105, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (43:49, 6%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (118:123, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (67:72, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (146:152, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:110, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (63:68, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (87:93, 5%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (95:100, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:98, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (30:35, 6%) - rules_building_block/lateral_movement_at.toml (25:30, 9%) 6 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:106, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (148:153, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:101, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (119:124, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (119:124, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (73:78, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (119:124, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (119:124, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (34:39, 5%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (30:35, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (115:121, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:91, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (4:10, 4%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (57:62, 4%) - rules_building_block/discovery_security_software_wmic.toml (44:49, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (99:104, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (46:51, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (42:47, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (129:134, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:150, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (118:123, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (66:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (133:138, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (57:62, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (58:63, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (90:95, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (44:49, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:123, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (87:93, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_evasion_hidden_local_account_creation.toml (66:72, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (146:152, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/_deprecated/execution_linux_process_started_in_temp_directory.toml (41:47, 14%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (20:25, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:86, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (57:62, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (74:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (54:59, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (35:41, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (92:97, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (114:119, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (49:54, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (96:101, 6%) - rules_building_block/execution_wmi_wbemtest.toml (43:48, 12%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (148:153, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (58:63, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (132:138, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_outlook_email_archive.toml (31:36, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (107:112, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (20:25, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (102:107, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (65:70, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:100, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (88:93, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (20:25, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:209, 3%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (132:137, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (154:160, 3%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (36:42, 4%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (155:161, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (42:48, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:46, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (34:39, 7%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (112:117, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (58:63, 6%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (42:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (91:96, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (58:63, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (68:73, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (47:53, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:36, 6%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (102:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (125:130, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (113:119, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (83:89, 7%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (90:95, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (21:26, 6%) - rules_building_block/execution_wmi_wbemtest.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (26:31, 6%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (148:153, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (41:46, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (24:29, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (165:170, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (95:100, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (53:58, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (67:72, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (77:82, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:120, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (27:32, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (108:113, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (93:99, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (43:49, 4%) - rules_building_block/discovery_net_view.toml (38:44, 5%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (160:165, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (160:165, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (56:61, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (60:65, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (49:54, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (83:88, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (131:137, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (23:28, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:124, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:107, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/command_and_control_tunnel_vscode.toml (22:27, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (48:53, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (4:10, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (4:10, 5%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:29, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (33:38, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (59:64, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (23:28, 5%) - rules_building_block/lateral_movement_at.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (28:33, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (102:107, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (123:128, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:114, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:114, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (42:47, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (168:174, 3%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (137:143, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:150, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (48:53, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (118:124, 3%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (126:131, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (71:76, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (48:53, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (156:161, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (58:63, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (53:58, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (135:141, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (42:47, 8%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:108, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (33:38, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (119:126, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (51:56, 4%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (120:125, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:150, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (53:58, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:109, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (15:20, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (109:114, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (94:99, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (120:126, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:92, 7%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (73:78, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (128:133, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (98:105, 5%) - rules_building_block/discovery_posh_password_policy.toml (91:98, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (128:134, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (89:94, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml (4:10, 5%) - rules_building_block/discovery_system_time_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (168:174, 3%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:81, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (47:53, 6%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (113:119, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (50:58, 6%) - rules_building_block/discovery_net_view.toml (34:42, 5%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (98:103, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:45, 12%) 6 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (84:89, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:130, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:131, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (73:78, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (95:100, 3%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml (95:100, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:237, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (111:116, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (140:145, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (89:94, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (98:103, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_sts_get_federation_token.toml (89:95, 7%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (60:65, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (53:58, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:190, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (134:139, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (165:170, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (65:70, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:122, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (23:28, 5%) - rules_building_block/execution_wmi_wbemtest.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (67:72, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (96:103, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (52:57, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (142:148, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (89:94, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (86:91, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (86:91, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (95:100, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml (79:84, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (113:118, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:48, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (73:78, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (90:95, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (100:105, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (48:53, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (166:171, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_via_rogue_named_pipe.toml (32:37, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (51:56, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (4:10, 4%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (73:78, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (83:88, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (4:10, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (49:54, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:106, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:112, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (30:35, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (93:99, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (143:149, 3%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (33:38, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (33:38, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (153:159, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:93, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (119:124, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (119:124, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml (22:27, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (65:70, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:28, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (137:143, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (127:132, 3%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (90:96, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (48:53, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:48, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml (51:56, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (34:39, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (79:84, 4%) - rules_building_block/discovery_security_software_wmic.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (94:99, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (115:121, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:108, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (50:55, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (29:34, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (129:134, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (93:99, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (51:56, 4%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (83:88, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (127:132, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (50:58, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (36:44, 6%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (109:114, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (132:137, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (132:137, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (51:56, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (49:54, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:177, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (129:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (48:53, 6%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (102:108, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (42:47, 11%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (116:121, 5%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (129:135, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (129:135, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (47:52, 8%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (54:59, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (61:66, 7%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (86:91, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (78:83, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (59:64, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (51:56, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (56:61, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (106:112, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:110, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:160, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (181:186, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (52:57, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (25:30, 11%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (51:56, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:163, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (157:163, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (68:74, 5%) 6 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (90:95, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (90:95, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (155:160, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (43:48, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (79:84, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (109:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (124:129, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:155, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (33:38, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (14:19, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (17:22, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (99:104, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (34:39, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:170, 3%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (47:52, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (140:146, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (46:51, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:49, 6%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:46, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:110, 5%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:203, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (199:204, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (107:112, 4%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (96:101, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (143:149, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (99:104, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (43:48, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (28:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (156:161, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (126:131, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (128:133, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (4:10, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (90:95, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (58:63, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (110:115, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (102:107, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (88:93, 3%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (87:92, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (25:30, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (143:149, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (68:74, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (80:85, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (42:47, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (71:76, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (43:49, 4%) - rules_building_block/discovery_security_software_wmic.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:106, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (127:132, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (4:10, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (4:10, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (168:174, 3%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (68:73, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (42:47, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (117:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:133, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (85:90, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (51:56, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (83:89, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:103, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (53:58, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (79:84, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (79:84, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (126:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (126:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (53:58, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (81:87, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (115:120, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (35:40, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:112, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:111, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:127, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (104:109, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (37:42, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (24:29, 3%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (118:123, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:53, 10%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (23:28, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:111, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (49:54, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:146, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:141, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (73:79, 5%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (23:28, 4%) - rules_building_block/credential_access_win_private_key_access.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (47:53, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:46, 6%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (67:72, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (94:99, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (48:53, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (4:10, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (86:91, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (187:192, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (140:145, 3%) - rules_building_block/discovery_security_software_wmic.toml (91:96, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (106:111, 3%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (34:39, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (176:181, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (176:181, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (43:49, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:46, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (142:148, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (21:26, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (155:160, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (41:46, 11%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (81:86, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (22:27, 7%) - rules_building_block/execution_github_repo_created.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (79:85, 5%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (26:31, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (30:35, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (31:36, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (110:116, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:148, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:94, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (65:70, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (81:87, 7%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:97, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (4:10, 4%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (69:74, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (90:95, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (93:98, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (58:63, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (107:113, 5%) - rules_building_block/discovery_security_software_wmic.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (46:51, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (61:66, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (97:102, 4%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:187, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:100, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (104:109, 6%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (46:51, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:94, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (86:91, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (132:137, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (161:167, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (144:150, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (33:38, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (52:57, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (87:92, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (87:92, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (31:36, 6%) - rules_building_block/credential_access_win_private_key_access.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (84:89, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (83:88, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:109, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (59:64, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (107:112, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:155, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (42:48, 6%) - rules_building_block/discovery_security_software_wmic.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:110, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (43:49, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (69:74, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (59:64, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (45:50, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (94:99, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (63:68, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (128:133, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (73:79, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (68:74, 5%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (52:57, 6%) - rules_building_block/credential_access_win_private_key_access.toml (27:32, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (54:59, 6%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (105:110, 5%) - rules_building_block/credential_access_win_private_key_access.toml (77:82, 6%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (98:103, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (48:53, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (120:126, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (126:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (135:141, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (126:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (46:51, 6%) - rules_building_block/discovery_security_software_wmic.toml (45:50, 7%) 6 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:47, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:50, 4%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (23:28, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (31:36, 8%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (71:76, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (32:37, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (67:72, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:106, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:112, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (51:56, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (118:124, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (164:169, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (142:147, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (24:29, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (21:26, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (24:29, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (103:108, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (88:93, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (134:139, 4%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (121:126, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:107, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (111:117, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (102:107, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (89:95, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (126:131, 4%) - rules_building_block/discovery_security_software_wmic.toml (91:96, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (112:117, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (93:98, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (53:58, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (106:111, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (174:179, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (101:106, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (174:179, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml (50:56, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (43:48, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (15:20, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (151:156, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (138:143, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml (44:50, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:101, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (118:123, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml (22:27, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:170, 3%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (128:133, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:97, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:28, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (59:64, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (104:109, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (94:99, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (47:53, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:44, 6%) 6 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (82:87, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (35:40, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (95:100, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:159, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (32:38, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (87:93, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (111:116, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (155:161, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (322:328, 1%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (96:101, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (87:92, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (163:168, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:228, 2%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (147:153, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (124:130, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (45:50, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_system_network_connections.toml (19:24, 13%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (128:133, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:146, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (110:116, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (141:147, 4%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (125:130, 5%) - rules_building_block/discovery_win_network_connections.toml (53:58, 9%) 6 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (112:117, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:112, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml (34:39, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (52:57, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (22:27, 8%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (43:48, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (64:70, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (98:103, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (73:79, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (43:48, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:142, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (48:53, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:170, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:110, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:170, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (32:37, 4%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (90:95, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (160:165, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (160:165, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (29:34, 6%) - rules_building_block/discovery_posh_password_policy.toml (41:46, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (156:162, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (154:160, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (68:74, 5%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (94:99, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (47:53, 5%) - rules_building_block/discovery_security_software_wmic.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_via_wsus_update.toml (23:28, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:130, 5%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (47:52, 11%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (123:129, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (87:92, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (73:78, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:54, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (152:157, 3%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (153:161, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (52:57, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (22:27, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (121:127, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:25, 3%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (90:95, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (101:106, 4%) - rules_building_block/discovery_security_software_wmic.toml (45:50, 7%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (107:113, 5%) - rules_building_block/discovery_security_software_wmic.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:105, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (121:127, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (99:104, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (33:38, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (322:328, 1%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:119, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (116:121, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (131:136, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (92:97, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (116:121, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (322:328, 1%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (32:37, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (126:131, 3%) - rules_building_block/discovery_posh_password_policy.toml (41:46, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml (46:51, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (55:60, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:128, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (62:67, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (99:104, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (94:99, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:109, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml (104:110, 6%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (108:113, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (120:126, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (119:124, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (53:58, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (63:68, 6%) - rules_building_block/discovery_net_view.toml (54:59, 5%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (100:105, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:148, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (48:53, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (28:33, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (21:26, 7%) - rules_building_block/discovery_net_view.toml (60:65, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (54:59, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (26:31, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (113:118, 2%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (205:212, 3%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (33:38, 6%) - rules_building_block/execution_wmi_wbemtest.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (109:114, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:71, 8%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:46, 6%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (157:163, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (24:29, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (24:29, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:94, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (42:47, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (101:106, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:162, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:108, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (97:102, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (148:153, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (153:159, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (93:98, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (96:101, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:96, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (62:67, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (95:100, 4%) - rules_building_block/discovery_security_software_wmic.toml (45:50, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (73:79, 5%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (117:123, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (65:73, 5%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (81:86, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (43:48, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (117:122, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:100, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (52:57, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:107, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (128:133, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:163, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (66:71, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml (126:132, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (84:89, 7%) - rules_building_block/discovery_net_view.toml (94:99, 5%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (66:71, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (156:161, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (88:93, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:122, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (135:141, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (58:63, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (115:120, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (74:79, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:114, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (133:138, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_at.toml (51:56, 9%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (53:58, 5%) - rules_building_block/discovery_security_software_wmic.toml (44:49, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (47:53, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:36, 6%) 6 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (60:65, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (131:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (36:41, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (133:139, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:73, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (22:27, 7%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (21:26, 11%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (59:64, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (32:37, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (89:94, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (112:117, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (112:117, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (88:93, 7%) - rules_building_block/discovery_generic_account_groups.toml (65:70, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (99:105, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (118:124, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:97, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:29, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:98, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (46:51, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (119:125, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (51:56, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (22:27, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (139:144, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (65:70, 5%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (133:138, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (41:46, 9%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (120:125, 3%) - rules_building_block/collection_posh_compression.toml (85:90, 4%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (4:10, 4%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (121:127, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (75:80, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (51:56, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (106:112, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (67:72, 3%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (88:93, 3%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (4:10, 4%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:128, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:128, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (108:113, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (67:72, 4%) - rules_building_block/discovery_win_network_connections.toml (30:36, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:110, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (174:179, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (174:179, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (23:28, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:128, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (112:117, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (36:42, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:101, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (101:107, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (107:112, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (107:112, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (128:133, 4%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (68:73, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (106:111, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (74:80, 5%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (28:33, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (120:126, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (102:107, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:187, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (111:116, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (122:127, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:99, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (42:48, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:44, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (52:57, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (48:54, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (100:106, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (101:106, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (47:52, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (83:88, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (127:132, 4%) - rules_building_block/collection_posh_compression.toml (113:118, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (64:69, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (135:140, 3%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (97:102, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (42:48, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (34:39, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (104:110, 5%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (104:109, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (77:82, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (36:42, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (115:120, 5%) - rules_building_block/execution_unsigned_service_executable.toml (78:83, 8%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (121:127, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:187, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (185:190, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (103:108, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (154:159, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (102:108, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (123:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (123:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (23:28, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:129, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (76:81, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (65:70, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (21:26, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (88:93, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (50:58, 6%) - rules_building_block/discovery_security_software_wmic.toml (37:45, 7%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (41:47, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (129:135, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (129:135, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:116, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (120:126, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (142:148, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (125:131, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (40:45, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (23:28, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (85:90, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (129:134, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_at.toml (51:56, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:93, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (112:117, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (35:41, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:109, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:121, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (109:114, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (23:28, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (68:73, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (86:91, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (54:59, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (43:48, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (79:84, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (95:100, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (49:54, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (65:70, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (163:169, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (106:112, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (27:32, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (26:31, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml (66:71, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (107:113, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (94:99, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (26:31, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (51:56, 8%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml (50:55, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (23:28, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:130, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (31:37, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (73:78, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (43:48, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (57:62, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (42:47, 6%) 6 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (99:104, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (104:109, 2%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (97:102, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (123:129, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (136:141, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:125, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (112:117, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (85:91, 5%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (98:103, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (97:102, 3%) - rules_building_block/discovery_security_software_wmic.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (32:37, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (54:59, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (50:58, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (34:42, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (44:49, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (93:100, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (90:95, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (23:28, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (31:36, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (58:63, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:141, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (37:42, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (48:53, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (80:85, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:104, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:104, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:104, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (94:99, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (4:10, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (110:116, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (90:95, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (131:136, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (65:70, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (81:86, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (30:35, 5%) - rules_building_block/lateral_movement_at.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (32:38, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (66:71, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml (78:83, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:56, 8%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (22:27, 6%) - rules_building_block/credential_access_win_private_key_access.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (135:141, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (99:104, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (79:85, 7%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:101, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (127:132, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (21:26, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (76:81, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (48:54, 5%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (95:101, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (31:37, 6%) 6 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:109, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (100:106, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (121:127, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (22:27, 7%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:98, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (22:27, 7%) - rules_building_block/execution_github_new_event_action_for_pat.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (42:47, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (57:62, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/command_and_control_screenconnect_childproc.toml (22:27, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:98, 6%) 6 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (77:82, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (30:35, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (140:145, 3%) - rules_building_block/execution_wmi_wbemtest.toml (43:48, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:94, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (102:107, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (4:10, 6%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (163:168, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (94:99, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:94, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml (117:123, 5%) - rules_building_block/collection_posh_compression.toml (120:126, 4%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (158:164, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (34:39, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (105:110, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (43:48, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:155, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (103:108, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (97:102, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (4:10, 2%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (26:31, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (106:112, 4%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (59:64, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:104, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (59:64, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:187, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:198, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (135:141, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (122:127, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (118:124, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:115, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (40:46, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (154:160, 3%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (127:133, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (106:112, 4%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (44:49, 6%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (90:95, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (97:102, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (4:10, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (182:187, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (134:139, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (97:102, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (122:129, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (49:56, 9%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml (71:76, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:102, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (168:173, 3%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:287, 2%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (112:117, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (112:117, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (47:52, 11%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (136:141, 1%) - rules_building_block/command_and_control_bitsadmin_activity.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:122, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:115, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (165:170, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (29:34, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (111:116, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (70:75, 6%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (191:197, 3%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:48, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (100:105, 3%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (156:162, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (50:55, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (32:37, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (116:121, 4%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (117:122, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (65:70, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (38:43, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (54:59, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (36:41, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/discovery_generic_account_groups.toml (29:35, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (148:153, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:73, 7%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (65:70, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:128, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:170, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:86, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/persistence_browser_extension_install.toml (29:34, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:29, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (78:83, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (156:161, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (121:126, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (48:53, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (97:102, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (74:79, 5%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (56:61, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (150:155, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (121:126, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (139:146, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:112, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (34:39, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (31:36, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (144:150, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (191:197, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (108:115, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (4:10, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (59:64, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (116:121, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (155:160, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:71, 8%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (121:127, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml (112:118, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml (75:81, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (45:50, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (99:104, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:146, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (4:10, 6%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (105:110, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (105:110, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (121:126, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:98, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (67:72, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:116, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (50:55, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:50, 4%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (61:66, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml (16:21, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (22:27, 7%) - rules_building_block/discovery_system_time_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (38:43, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (83:88, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (105:111, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (65:73, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (99:104, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (99:104, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (67:72, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:96, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (83:89, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (87:92, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (119:124, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (23:28, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (46:51, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (68:73, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (51:56, 7%) 6 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:246, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (122:127, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/discovery_hosts_file_access.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (4:10, 6%) - rules_building_block/discovery_posh_password_policy.toml (4:10, 5%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_evasion_hidden_local_account_creation.toml (66:72, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (116:121, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (116:121, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (100:105, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:97, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:88, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (100:105, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (256:261, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (98:103, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (98:103, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (89:94, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:162, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (116:121, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (32:37, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:32, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (142:147, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (42:47, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml (99:104, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:73, 7%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (80:85, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:144, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (111:116, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (158:163, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (158:163, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (94:99, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (21:26, 6%) - rules_building_block/execution_wmi_wbemtest.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (135:141, 4%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (49:54, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (179:184, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (111:116, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (83:88, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (31:37, 3%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (54:59, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (43:48, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (88:93, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (57:62, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (23:28, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (141:147, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (77:82, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (146:151, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (25:30, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (24:29, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (31:36, 8%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (166:171, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:98, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (4:10, 4%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (117:122, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:28, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (20:25, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (51:56, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (148:153, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (141:146, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:112, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (47:53, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:40, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (152:158, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:25, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (124:129, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (42:47, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (51:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (106:111, 3%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (48:53, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (93:99, 4%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (20:25, 5%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (42:47, 8%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:120, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (51:56, 4%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (88:93, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (135:141, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (87:92, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (34:39, 7%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (4:10, 2%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (54:59, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:105, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:136, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:98, 6%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (43:48, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (43:48, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (51:56, 4%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (46:51, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (64:69, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (56:61, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (42:48, 6%) - rules_building_block/discovery_net_view.toml (38:44, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (161:166, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (68:73, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (112:117, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (21:26, 7%) - rules_building_block/discovery_security_software_wmic.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_at.toml (51:56, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (59:64, 6%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (70:75, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (55:60, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (83:89, 4%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:156, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:95, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (101:107, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (89:94, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (25:30, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (66:71, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:86, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (117:122, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (116:121, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:98, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (43:48, 6%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml (75:81, 8%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (126:131, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (4:10, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/aws/impact_s3_object_versioning_disabled.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (19:24, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (23:28, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (53:58, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (41:46, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (52:57, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:264, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (154:160, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (63:69, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (90:95, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (50:55, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (65:70, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:114, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:114, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (141:147, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (53:59, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution.toml (57:62, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:87, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (87:92, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (105:110, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (118:124, 3%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (47:52, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (78:83, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (135:141, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:138, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (108:115, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (86:91, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (112:117, 3%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (65:70, 4%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:28, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:122, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (102:108, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (46:51, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (4:10, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (163:168, 3%) - rules_building_block/collection_posh_compression.toml (113:118, 4%) 6 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (147:152, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (34:39, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (98:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_snapshot_deleted.toml (29:34, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:106, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (140:145, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (71:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (168:174, 3%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (97:102, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (48:53, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (125:131, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (145:150, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (102:107, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (42:47, 11%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (4:10, 2%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (119:124, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (119:124, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (83:88, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_system_service_discovery.toml (25:30, 10%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (23:28, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (55:60, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:170, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (43:49, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (23:28, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (27:32, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (4:10, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (111:117, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (60:65, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (104:109, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (51:56, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (22:27, 7%) - rules_building_block/discovery_system_service_discovery.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (90:95, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (73:78, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (23:28, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (96:101, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (71:76, 8%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (97:102, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (144:149, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:136, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (113:118, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (137:143, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (146:151, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (43:48, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (98:103, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (70:75, 3%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:265, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:104, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (71:77, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (53:58, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (43:48, 6%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (125:130, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (68:74, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:91, 4%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (22:27, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (51:56, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (75:80, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (103:110, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (35:41, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (81:86, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (43:48, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (165:170, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (86:91, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (83:90, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (23:28, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (51:56, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (24:29, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (136:141, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:120, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (93:98, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (59:64, 7%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:159, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (63:68, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (68:73, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:29, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (103:108, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (64:69, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (55:60, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (81:87, 5%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_net_view.toml (41:46, 5%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (322:328, 1%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (68:74, 5%) 6 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (58:63, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (126:131, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (97:102, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (128:133, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (110:115, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (59:64, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (35:40, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (145:150, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_at.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (36:41, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:128, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:128, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (104:109, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (59:64, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:217, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (111:116, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:188, 3%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (58:63, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (63:69, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (102:107, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:136, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (37:43, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (80:85, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (160:165, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (101:108, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (53:58, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (68:73, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:149, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_snapshot_deleted.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (92:97, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (115:121, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (4:10, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:124, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (87:92, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (137:142, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (117:122, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (116:121, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (97:102, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (110:116, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (103:108, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (127:135, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (44:49, 2%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (121:127, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (48:54, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (41:47, 7%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (79:84, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (78:83, 8%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (157:163, 3%) - rules_building_block/collection_posh_compression.toml (76:82, 4%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (50:55, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (83:89, 5%) - rules_building_block/discovery_system_service_discovery.toml (35:41, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_internet_capabilities.toml (42:47, 10%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/discovery_system_network_connections.toml (19:24, 13%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:150, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (90:95, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (67:72, 8%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (68:73, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:210, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_security_software_wmic.toml (44:49, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (135:140, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (80:85, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:108, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (107:113, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (113:118, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (107:112, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (156:161, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (89:94, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (4:10, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (28:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (115:120, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (68:73, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (23:28, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:136, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (161:166, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (24:29, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (112:117, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:187, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (4:10, 5%) - rules_building_block/discovery_posh_password_policy.toml (4:10, 5%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (155:160, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (58:63, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_at.toml (51:56, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (101:106, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (124:130, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (124:130, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (116:121, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (97:102, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (35:40, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (22:27, 7%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (90:95, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (29:34, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:154, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (160:166, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (4:10, 4%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (46:51, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (52:57, 4%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_via_rogue_named_pipe.toml (32:37, 6%) - rules_building_block/discovery_net_view.toml (54:59, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:99, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (132:137, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (80:85, 4%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:154, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (70:75, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (90:97, 6%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (25:30, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:118, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (119:126, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (90:96, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (114:120, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (4:10, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (74:79, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (26:31, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (31:36, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (33:38, 9%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (90:95, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (124:129, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (79:84, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (52:57, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (71:77, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (102:107, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (97:102, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (22:27, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (101:106, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (30:35, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (31:36, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (89:94, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (74:79, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (155:161, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (83:89, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (61:66, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (98:103, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (68:73, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (31:37, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_system_time_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (54:59, 3%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (100:105, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (168:173, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (125:131, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (96:101, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (99:104, 4%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (61:66, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (135:140, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (4:10, 5%) - rules_building_block/discovery_net_view.toml (5:11, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (34:39, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (97:102, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (76:81, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (107:112, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (116:122, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:88, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:99, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (4:10, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (77:82, 5%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (111:116, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (97:102, 1%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (106:112, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (106:112, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (68:73, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml (57:62, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (34:39, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (94:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (324:329, 1%) - rules_building_block/collection_posh_compression.toml (85:90, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (110:115, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:159, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (93:98, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (100:105, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (30:35, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (44:49, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:50, 4%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (59:64, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (99:104, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:45, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (51:56, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (23:28, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (94:99, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (4:10, 4%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (106:111, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (102:108, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:50, 11%) 6 duplicated lines in: - rules/windows/impact_modification_of_boot_config.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (132:137, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (132:137, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (143:150, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (4:10, 2%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/command_and_control_ip_forwarding_activity.toml (31:36, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (28:33, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (46:52, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (53:58, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:98, 6%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (95:101, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (28:33, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:104, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:104, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (117:123, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (112:117, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (46:51, 11%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (172:177, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (48:54, 11%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (121:127, 5%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (49:54, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (49:55, 11%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (109:114, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (78:85, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (4:10, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (37:42, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (98:103, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (106:111, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (83:88, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (25:30, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:234, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (92:97, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (47:53, 6%) - rules_building_block/discovery_system_time_discovery.toml (34:40, 10%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (148:153, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml (83:89, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:114, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (99:104, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (142:147, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (62:67, 8%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/collection_posh_compression.toml (125:131, 4%) 6 duplicated lines in: - rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml (99:104, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (40:46, 15%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:121, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (49:56, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (57:62, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:49, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (126:131, 4%) - rules_building_block/execution_wmi_wbemtest.toml (43:48, 12%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (66:71, 6%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (99:104, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (91:96, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (47:53, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (34:40, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (76:81, 4%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (53:58, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:134, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (4:10, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (151:156, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (35:40, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (24:29, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (93:98, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:130, 5%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (103:108, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (124:130, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (66:71, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (124:130, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (195:200, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (108:113, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (4:10, 7%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:100, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (157:163, 3%) - rules_building_block/discovery_posh_generic.toml (143:149, 2%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (97:102, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (85:91, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (145:150, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:117, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (158:163, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (80:86, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (137:142, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_posh_password_policy.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (105:110, 1%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (4:10, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (30:36, 6%) 6 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (4:10, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (26:31, 11%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (133:139, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (139:144, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:191, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (60:65, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (92:97, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml (58:63, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (48:53, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (4:10, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (27:32, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (4:10, 7%) - rules_building_block/discovery_system_time_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (99:104, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (4:10, 6%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (47:52, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (134:139, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (81:87, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (96:101, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (95:100, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (125:130, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (79:84, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (28:33, 8%) 6 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (31:37, 13%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (57:62, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (121:126, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:108, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (33:38, 7%) - rules_building_block/discovery_posh_password_policy.toml (41:46, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (58:63, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (139:145, 4%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (4:10, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (35:41, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (34:40, 6%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:130, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (30:35, 7%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (34:39, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (25:30, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (98:103, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (4:10, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (109:115, 5%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (118:123, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (109:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (25:30, 6%) 6 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (151:156, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (159:164, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (63:68, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (22:27, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (107:112, 4%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (4:10, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (4:10, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:106, 6%) - rules_building_block/discovery_generic_process_discovery.toml (50:55, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (4:10, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (94:99, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (158:163, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (32:38, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (108:113, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml (117:123, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:105, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (163:168, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (54:59, 4%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (64:70, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (61:66, 7%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (74:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (153:159, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (103:108, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (4:10, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (22:27, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (157:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (157:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (43:49, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (38:44, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (21:26, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:115, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (19:24, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (37:43, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (4:10, 4%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (4:10, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (127:132, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (77:85, 3%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (43:51, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (27:32, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (32:37, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (4:10, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:136, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (62:67, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (54:59, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (114:119, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (98:103, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (31:36, 7%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (4:10, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (4:10, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (4:10, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (4:10, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (5:11, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (99:104, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:106, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (63:68, 5%) - rules_building_block/discovery_net_view.toml (42:47, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (67:72, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (21:26, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (4:10, 5%) - rules_building_block/discovery_security_software_wmic.toml (5:11, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (111:117, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (84:89, 6%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:94, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (4:10, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (82:87, 4%) - rules_building_block/discovery_net_view.toml (59:64, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (71:76, 6%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (73:78, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (45:50, 2%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (176:181, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (176:181, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (160:167, 3%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (47:52, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/privilege_escalation_newcreds_logon_rare_process.toml (4:10, 8%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (4:10, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:199, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (88:93, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:120, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (91:96, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (113:118, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (28:33, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (144:150, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (90:95, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (49:54, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (98:103, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (4:10, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (112:117, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 4%) 6 duplicated lines in: - rules/windows/execution_com_object_xwizard.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml (3:9, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (3:9, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (154:159, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_make_token_local.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (53:59, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (40:45, 10%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (4:10, 3%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (87:92, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (97:103, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (22:27, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (93:99, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (48:53, 6%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (73:78, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (4:10, 10%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (81:86, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (38:43, 12%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (62:67, 5%) - rules_building_block/discovery_generic_process_discovery.toml (24:29, 10%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (93:98, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (40:45, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (80:85, 7%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (63:68, 7%) 6 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (128:134, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (104:109, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (64:69, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (32:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (4:10, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (80:85, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (41:46, 11%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (76:81, 7%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (4:10, 11%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (83:88, 6%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (4:10, 5%) - rules_building_block/collection_outlook_email_archive.toml (4:10, 9%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (48:54, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (102:107, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (123:128, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (23:28, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (25:30, 11%) 6 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:137, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (79:85, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (68:73, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (4:10, 4%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (92:97, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (39:44, 11%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (4:10, 4%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (115:120, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (4:10, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (54:59, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (113:118, 4%) - rules_building_block/execution_wmi_wbemtest.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (99:104, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (4:10, 5%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (107:112, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (4:10, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (4:10, 7%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:109, 5%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (4:10, 6%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (97:102, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_hosts_file_access.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (108:113, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (4:10, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (4:10, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (4:10, 5%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (96:101, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:90, 6%) - rules_building_block/lateral_movement_at.toml (43:48, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (96:101, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (4:10, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (4:10, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_alternate_creds_pth.toml (4:10, 7%) - rules_building_block/credential_access_win_private_key_access.toml (4:10, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (97:102, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (50:55, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (48:53, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (47:53, 5%) - rules_building_block/discovery_net_view.toml (38:44, 5%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (142:147, 4%) - rules_building_block/discovery_posh_generic.toml (289:294, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (4:10, 6%) - rules_building_block/lateral_movement_at.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (4:10, 6%) - rules_building_block/discovery_system_service_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (4:10, 7%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (4:10, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (4:10, 13%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (4:10, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (4:10, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (4:10, 4%) - rules_building_block/discovery_generic_process_discovery.toml (5:11, 10%) 6 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (4:10, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (4:10, 9%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (4:10, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (5:11, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (33:38, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (34:39, 6%) - rules_building_block/lateral_movement_at.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (4:10, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (4:10, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (4:10, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (4:10, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (5:11, 9%) 6 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (31:36, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (57:62, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (43:48, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (52:58, 11%) 6 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (40:45, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (3:9, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (3:9, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (4:10, 8%) - rules_building_block/execution_wmi_wbemtest.toml (4:10, 12%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (4:10, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (4:10, 7%)