53 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (4:65, 33%) - rules_building_block/command_and_control_certutil_network_connection.toml (5:66, 35%) 53 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (4:65, 33%) - rules_building_block/command_and_control_certutil_network_connection.toml (5:66, 35%) 51 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (7:65, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (8:66, 33%) 42 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (124:175, 28%) - rules_building_block/persistence_web_server_sus_file_creation.toml (84:135, 35%) 42 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (134:185, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (84:135, 35%) 39 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (111:159, 29%) - rules_building_block/persistence_web_server_sus_file_creation.toml (87:135, 32%) 36 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (62:103, 24%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:104, 26%) 32 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:297, 11%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:111, 32%) 31 duplicated lines in: - rules/windows/discovery_admin_recon.toml (93:132, 28%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (42:81, 44%) 30 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (59:92, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:57, 25%) 30 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (69:106, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (72:109, 33%) 30 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (66:99, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:57, 25%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (68:104, 33%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (68:104, 33%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (67:102, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (71:107, 32%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (110:146, 23%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (67:103, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (69:105, 33%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (67:103, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (63:99, 35%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (96:132, 26%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:107, 31%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (67:103, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (138:174, 19%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:107, 31%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (66:102, 34%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 29 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (70:106, 33%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:109, 32%) 28 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (58:85, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:48, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:57, 38%) 28 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (59:91, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:55, 23%) 28 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (56:83, 29%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:57, 38%) 28 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (60:91, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:164, 20%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:203, 15%) 28 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (63:95, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:57, 38%) 28 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (158:191, 17%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (76:109, 31%) 28 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (59:90, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (60:91, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:55, 23%) 28 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:52, 30%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (59:90, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:57, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:55, 23%) 28 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (59:90, 29%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (64:91, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:52, 29%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:164, 20%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:79, 40%) 28 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (91:124, 26%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:130, 24%) 28 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (60:91, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (27:58, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 28 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (26:57, 38%) - rules_building_block/discovery_capnetraw_capability.toml (26:57, 36%) 27 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (56:86, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (129:159, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (56:86, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:182, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:172, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:139, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/windows/discovery_admin_recon.toml (93:125, 24%) - rules_building_block/discovery_generic_account_groups.toml (62:94, 28%) 27 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:52, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (63:94, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:172, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (62:92, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (66:96, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (61:91, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (59:89, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:174, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:57, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:156, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (57:87, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (57:87, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (57:83, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:152, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:54, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (63:93, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (64:94, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (70:100, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:53, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (92:122, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (62:88, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (62:92, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (138:168, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (117:147, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (61:91, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:61, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (62:88, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (58:88, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (113:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:51, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:54, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:56, 35%) 27 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (100:130, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (60:86, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (57:83, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:57, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 27 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (62:88, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:56, 37%) 27 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:55, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:54, 22%) 26 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (62:91, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (120:149, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (60:89, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (20:49, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (67:96, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (65:94, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:50, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:54, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (62:91, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:50, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml (30:59, 32%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (63:92, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:51, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (59:88, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:54, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (57:86, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (60:89, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (64:93, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:55, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (120:149, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:53, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:53, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:53, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (60:89, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:151, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (60:89, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:50, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:50, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:54, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:53, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (60:89, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (61:90, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (63:92, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (56:85, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (61:91, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:57, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (56:85, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:50, 26%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:79, 29%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (27:56, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (26:55, 32%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (62:87, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:135, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (57:82, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (59:88, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (60:89, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (56:85, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:55, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:52, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:103, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:51, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml (30:59, 32%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:54, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (62:87, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (58:87, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (26:55, 36%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (54:83, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:54, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (56:85, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:52, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:53, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:55, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (62:87, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (64:93, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (62:91, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (61:90, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:55, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_preload_cmdline.toml (21:50, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (63:92, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (60:89, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:51, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:52, 34%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (58:83, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:50, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:51, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:56, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (66:95, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_mkfifo_execution.toml (22:51, 29%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (68:97, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_mkfifo_execution.toml (22:51, 29%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (54:83, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:52, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (64:89, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:46, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (56:81, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_suspicious_path_mounted.toml (22:51, 38%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:53, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (26:55, 32%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (56:85, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (120:149, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (55:84, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:50, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (59:88, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (57:86, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (58:87, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (56:85, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:51, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (57:86, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (59:88, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:50, 26%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (68:97, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (62:91, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (60:85, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (59:88, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (57:82, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:143, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (57:86, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (58:87, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (60:89, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (60:89, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (61:91, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (56:85, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:52, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (117:146, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (66:95, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (59:88, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (56:87, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_unusual_kthreadd_execution.toml (21:51, 28%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (57:86, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (63:93, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (60:89, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (64:93, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:54, 27%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (20:49, 28%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (65:94, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_suspicious_path_mounted.toml (22:51, 38%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (57:86, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (61:90, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:51, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:51, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (56:87, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (58:87, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (57:86, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (56:85, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (63:92, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (92:121, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:56, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (62:91, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (61:90, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (64:93, 24%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_ld_preload_cmdline.toml (21:50, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (61:90, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (58:87, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:50, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:53, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (60:89, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (57:86, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (60:89, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (63:93, 24%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (60:89, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:50, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (54:83, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (60:89, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 26 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (55:84, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:55, 36%) 26 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:50, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (59:88, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:53, 21%) 26 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (61:90, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:55, 33%) 25 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:57, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (26:53, 21%) 25 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (73:102, 25%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (44:73, 35%) 24 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:61, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:51, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:142, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (71:97, 26%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:73, 34%) 24 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:158, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:147, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:138, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:44, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:53, 31%) 24 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (63:88, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 24 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:135, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:130, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (3:34, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (3:34, 17%) 24 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (61:86, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 24 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:136, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:53, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:55, 33%) 24 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:110, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:136, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:153, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:146, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:53, 23%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (66:93, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:53, 33%) 24 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:156, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (66:93, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:53, 31%) 24 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:44, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:53, 33%) 24 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (63:88, 17%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:157, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 24 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (61:86, 23%) - rules_building_block/discovery_capnetraw_capability.toml (30:55, 31%) 24 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:132, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:135, 20%) 23 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:48, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/execution_container_management_binary_launched_inside_container.toml (29:56, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (30:57, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/execution_container_management_binary_launched_inside_container.toml (29:56, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (20:47, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (30:57, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (21:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/privilege_escalation_mount_launched_inside_container.toml (27:54, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/credential_access_aws_creds_search_inside_container.toml (22:49, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/privilege_escalation_debugfs_launched_inside_container.toml (27:54, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml (22:49, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (32:59, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:48, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:52, 31%) 23 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:48, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (21:48, 30%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:50, 19%) 23 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:48, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 23 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (21:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:52, 29%) 22 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (8:34, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (8:34, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (7:33, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (8:34, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (7:32, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (114:140, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:99, 24%) 22 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (8:34, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (8:34, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (8:34, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (7:33, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (8:34, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (16:42, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (145:172, 15%) - rules_building_block/command_and_control_bitsadmin_activity.toml (54:81, 26%) 22 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (8:34, 18%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (8:34, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (112:138, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:99, 24%) 22 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (8:34, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (7:33, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_bruteforce_admin_account.toml (8:34, 19%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (76:102, 23%) - rules_building_block/execution_unsigned_service_executable.toml (40:66, 30%) 22 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (8:34, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (8:34, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (61:89, 23%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:99, 24%) 22 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (7:33, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (8:34, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (8:34, 17%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (8:34, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (8:34, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (8:34, 15%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 22 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (8:34, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:66, 14%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (74:98, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (66:90, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (56:76, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (57:81, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (20:44, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:45, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (56:80, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:50, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:45, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:55, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (22:46, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (8:33, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:65, 13%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:50, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (62:86, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (22:46, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (57:81, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (57:81, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (68:92, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (22:46, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (22:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (57:77, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (68:92, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_aws_creds_search_inside_container.toml (22:47, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:48, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (58:82, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (120:144, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (131:155, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (59:84, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:45, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (26:50, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (60:84, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (100:124, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (56:80, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:48, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:48, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:138, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (60:84, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:52, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (129:153, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_suspicious_mkfifo_execution.toml (22:46, 24%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (23:47, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (63:87, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (68:92, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:45, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (70:94, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (22:46, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (24:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (61:85, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:150, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (56:80, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:49, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:51, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (61:85, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (79:103, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:48, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (122:146, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:45, 23%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:49, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_potential_proot_exploits.toml (66:90, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (64:88, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (80:104, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (62:86, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:43, 25%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:45, 23%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (20:45, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (92:116, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (63:88, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:98, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (64:88, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (117:143, 16%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:102, 22%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (63:88, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (74:98, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:46, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:47, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/execution_unusual_kthreadd_execution.toml (21:46, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:45, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (59:83, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:43, 25%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_uid_int_max_bug.toml (26:50, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:58, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:48, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_potential_linux_local_account_bruteforce.toml (21:45, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (21:45, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (66:90, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:74, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (59:83, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:50, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:176, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (21:45, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (8:33, 16%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:65, 13%) 21 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (59:83, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (64:88, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:130, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_unusual_kthreadd_execution.toml (21:46, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (21:46, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (68:92, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (61:85, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (23:47, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (58:82, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (23:48, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (62:82, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:138, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (56:80, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (24:49, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_aws_creds_search_inside_container.toml (22:47, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (59:84, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (56:80, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (20:45, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:47, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (57:81, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (61:85, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (56:80, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml (30:54, 26%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:45, 23%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (60:80, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (7:34, 16%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:44, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (111:135, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (113:137, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (59:83, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:44, 25%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (80:104, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (60:84, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml (22:47, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_ld_preload_cmdline.toml (21:45, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:48, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (79:103, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (26:50, 29%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (50:74, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (60:84, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (120:144, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (114:138, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:168, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (27:51, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:166, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_debugfs_launched_inside_container.toml (27:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:133, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (57:77, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml (56:80, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (65:89, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (100:124, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (142:166, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (21:45, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_file_creation.toml (74:98, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:47, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (59:83, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (7:34, 17%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (54:78, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (75:99, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (67:91, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (7:34, 13%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (65:89, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (111:135, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:47, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (131:155, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:45, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (63:87, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (59:83, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml (57:81, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_debugfs_launched_inside_container.toml (27:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (23:48, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (24:48, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (106:130, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (25:49, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (26:50, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (34:58, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_mount_execution.toml (67:91, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (62:82, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (24:48, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (114:138, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:46, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (27:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:49, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (54:78, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:137, 13%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (60:84, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (144:168, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (21:46, 28%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (25:49, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (60:84, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (126:150, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (62:86, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/impact_data_encrypted_via_openssl.toml (25:49, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:47, 27%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/privilege_escalation_dac_permissions.toml (22:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (59:83, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (25:49, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (26:50, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_container_management_binary_launched_inside_container.toml (29:54, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (21:45, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (20:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:45, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (65:89, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (66:90, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (60:84, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (62:82, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (21:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (61:86, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (57:81, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_docker_socket_discovery.toml (66:90, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (57:81, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (23:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (61:85, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (74:98, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (120:144, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_suspicious_path_mounted.toml (22:46, 30%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (55:79, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (23:47, 14%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (24:48, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (54:78, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (111:135, 11%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (56:82, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (54:78, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (27:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (113:137, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:43, 25%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (113:137, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (106:130, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:166, 10%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (60:84, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/linux/privilege_escalation_mount_launched_inside_container.toml (27:52, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:47, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:44, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (109:133, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:46, 22%) 21 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (89:115, 21%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:102, 22%) 21 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:47, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (56:80, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_overlayfs_local_privesc.toml (25:49, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (22:46, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (60:84, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (60:84, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (79:103, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (7:34, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (62:86, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (25:49, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (117:141, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sudo_cve_2019_14287.toml (65:89, 19%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (23:47, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (31:55, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (21:45, 22%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (26:50, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (21:41, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (32:57, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:229, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:194, 11%) 21 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (58:82, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml (23:47, 27%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (64:88, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (7:34, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (80:104, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (106:130, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/impact_potential_linux_ransomware_note_detected.toml (23:47, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (152:176, 9%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (21:45, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (74:98, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (54:78, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (21:41, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (60:84, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:45, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (142:166, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:47, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (27:51, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (23:48, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:229, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:70, 30%) 21 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (22:46, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (28:52, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (58:82, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (58:82, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (33:57, 19%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (59:83, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (42:66, 23%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (64:84, 19%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (60:84, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:44, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (66:90, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (61:85, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (58:82, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (54:78, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (59:83, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (20:45, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (138:162, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml (22:47, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (138:162, 12%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (60:84, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/privilege_escalation_mount_launched_inside_container.toml (27:52, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_writable_docker_socket.toml (25:49, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (129:153, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (57:81, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:45, 21%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (63:87, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (63:87, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (21:46, 28%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:44, 25%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:50, 20%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:44, 24%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (7:34, 13%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:34, 15%) 21 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (60:84, 16%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (21:45, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (60:84, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (30:55, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (60:84, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (131:155, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:44, 25%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:45, 23%) 21 duplicated lines in: - rules/linux/privilege_escalation_uid_change_post_compilation.toml (21:45, 21%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (62:86, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (58:78, 20%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:48, 17%) 21 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (70:94, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml (22:47, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (24:48, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (27:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (32:57, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (61:85, 20%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 21 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (106:130, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:50, 29%) 21 duplicated lines in: - rules/linux/privilege_escalation_enlightenment_window_manager.toml (22:47, 22%) - rules_building_block/discovery_capnetraw_capability.toml (26:50, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (59:83, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/exfiltration_potential_curl_data_exfiltration.toml (23:46, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:160, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/command_and_control_telegram_api_request.toml (20:43, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (136:158, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:146, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/command_and_control_telegram_api_request.toml (20:43, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (8:30, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:62, 13%) 20 duplicated lines in: - rules/linux/exfiltration_potential_curl_data_exfiltration.toml (23:46, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (136:160, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:150, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (137:159, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (21:44, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/exfiltration_potential_curl_data_exfiltration.toml (23:46, 25%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (59:83, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (142:164, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (21:44, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:157, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:153, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/command_and_control_telegram_api_request.toml (20:43, 25%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (27:50, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (59:83, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (94:117, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (131:155, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:83, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:45, 18%) 20 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (29:52, 17%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:49, 27%) 20 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (21:44, 25%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (21:44, 17%) - rules_building_block/discovery_capnetraw_capability.toml (26:49, 25%) 20 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (123:145, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:125, 16%) 20 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (21:44, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:52, 20%) - rules_building_block/discovery_capnetraw_capability.toml (28:50, 25%) 20 duplicated lines in: - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml (23:46, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:47, 16%) 20 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (29:52, 20%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (28:50, 27%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:42, 23%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:45, 21%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (61:81, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:48, 15%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:42, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:43, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:45, 21%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:43, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:43, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:42, 21%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:41, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:42, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:41, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:43, 21%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:42, 21%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:43, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:42, 23%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (79:102, 17%) - rules_building_block/persistence_transport_agent_exchange.toml (64:87, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:43, 21%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:41, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:43, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:48, 18%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:43, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:42, 21%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:42, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:42, 21%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:43, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:41, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:42, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:43, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (8:30, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (44:66, 12%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:43, 21%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:43, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:43, 21%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:42, 21%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (8:30, 14%) - rules_building_block/command_and_control_certutil_network_connection.toml (44:66, 12%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (19:41, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:42, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:45, 21%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (21:43, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:42, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:42, 22%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:43, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:42, 21%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:43, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:42, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:42, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:45, 21%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:42, 21%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (21:43, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:43, 21%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:42, 23%) - rules_building_block/collection_posh_compression.toml (22:44, 14%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:42, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (63:83, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:48, 15%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:42, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:42, 21%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:44, 20%) 19 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (60:82, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:42, 22%) - rules_building_block/discovery_posh_password_policy.toml (22:44, 17%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (20:42, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (20:42, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:42, 23%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:43, 22%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (20:42, 21%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (21:43, 22%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:49, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (20:42, 23%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (20:42, 21%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (23:45, 21%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (183:206, 10%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:72, 25%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (20:42, 22%) - rules_building_block/persistence_transport_agent_exchange.toml (23:42, 16%) 19 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (143:167, 13%) - rules_building_block/persistence_startup_folder_lnk.toml (46:70, 30%) 19 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (21:43, 21%) - rules_building_block/discovery_posh_generic.toml (22:44, 6%) 19 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (28:48, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:48, 15%) 18 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (143:163, 13%) - rules_building_block/collection_posh_compression.toml (126:146, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (64:83, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:147, 14%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (73:94, 21%) - rules_building_block/lateral_movement_at.toml (44:65, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:191, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (122:141, 11%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (70:89, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:103, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (127:147, 15%) - rules_building_block/collection_posh_compression.toml (126:146, 14%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (65:84, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:106, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (122:141, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (65:84, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (69:88, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (75:94, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:106, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (116:138, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:93, 19%) 18 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (112:133, 15%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (135:157, 12%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (64:83, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (68:87, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (94:116, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (67:85, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (65:84, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (63:82, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:107, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:215, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (87:109, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:93, 19%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (66:85, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:146, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:132, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (63:81, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (63:82, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (85:104, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (68:87, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (66:85, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:103, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (75:94, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:102, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:140, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:99, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (167:189, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (87:109, 15%) 18 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (57:78, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:147, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (69:87, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:146, 14%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:104, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (22:43, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (85:104, 12%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (67:86, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (66:85, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (88:109, 20%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:145, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:123, 15%) 18 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (63:84, 18%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (64:83, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:132, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (70:89, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (69:88, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (85:106, 20%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (136:158, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (44:66, 25%) 18 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:133, 14%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:174, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/persistence_rc_local_error_via_syslog.toml (29:50, 20%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:103, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:215, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (105:125, 17%) - rules_building_block/collection_posh_compression.toml (126:146, 14%) 18 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:132, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:106, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (67:86, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (62:81, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:174, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:103, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:107, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (64:83, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (20:41, 20%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (63:82, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (90:112, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:93, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:120, 17%) - rules_building_block/defense_evasion_service_path_registry.toml (60:80, 21%) 18 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (64:83, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (69:88, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:102, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (85:104, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (106:127, 16%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:120, 17%) - rules_building_block/defense_evasion_services_exe_path.toml (57:77, 21%) 18 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (116:135, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (71:90, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (122:142, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:80, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:191, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (85:105, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (85:105, 13%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (75:94, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (62:81, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (71:90, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (67:86, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (67:86, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:147, 14%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:106, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (67:86, 12%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:105, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:102, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (26:45, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (164:183, 8%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (114:136, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (87:109, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:105, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (62:81, 16%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (63:81, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (164:183, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:99, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:132, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:104, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:104, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (68:87, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (94:116, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (164:183, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (61:82, 24%) - rules_building_block/lateral_movement_at.toml (44:65, 25%) 18 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (56:77, 19%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (67:85, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (63:82, 16%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (97:118, 13%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:96, 23%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (93:114, 18%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:95, 21%) 18 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (143:165, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (44:66, 25%) 18 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (91:113, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:72, 24%) 18 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (88:110, 17%) - rules_building_block/lateral_movement_wmic_remote.toml (49:71, 25%) 18 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (63:82, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (113:133, 16%) - rules_building_block/collection_posh_compression.toml (126:146, 14%) 18 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (108:128, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (108:128, 15%) 18 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (22:43, 17%) - rules_building_block/execution_linux_segfault.toml (24:48, 34%) 18 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (67:85, 14%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:102, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (75:94, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (29:48, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (64:83, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (63:81, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (75:94, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (71:90, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (122:141, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:215, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (90:112, 16%) - rules_building_block/execution_unsigned_service_executable.toml (40:62, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:140, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:109, 20%) 18 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (32:51, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (34:53, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (70:88, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (63:81, 13%) 18 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (33:52, 13%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:103, 21%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (33:52, 15%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (65:84, 14%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (30:49, 25%) 18 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (70:89, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (65:84, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:132, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (67:86, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (75:94, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 18 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:140, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:103, 21%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:107, 19%) 18 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (65:84, 14%) - rules_building_block/discovery_capnetraw_capability.toml (30:49, 23%) 18 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:104, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:118, 17%) 18 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (121:141, 15%) - rules_building_block/collection_posh_compression.toml (126:146, 14%) 18 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (63:82, 16%) - rules_building_block/persistence_web_server_sus_file_creation.toml (28:47, 15%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:57, 32%) 17 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (122:141, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:56, 32%) 17 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:136, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:126, 14%) 17 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (93:112, 16%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (91:110, 16%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (121:140, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (94:113, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:93, 18%) 17 duplicated lines in: - rules/windows/persistence_services_registry.toml (111:130, 14%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (93:112, 16%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (122:141, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:187, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (121:140, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (148:167, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:104, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:126, 14%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:56, 32%) 17 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (75:96, 16%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:97, 18%) 17 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:187, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (91:110, 16%) - rules_building_block/defense_evasion_services_exe_path.toml (61:80, 20%) 17 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (148:167, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (97:119, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:56, 32%) 17 duplicated lines in: - rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml (85:108, 17%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:57, 32%) 17 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (97:119, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:57, 32%) 17 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:124, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:126, 14%) 17 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:121, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:126, 14%) 17 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:112, 17%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:57, 32%) 17 duplicated lines in: - rules/windows/persistence_services_registry.toml (111:130, 14%) - rules_building_block/defense_evasion_service_path_registry.toml (64:83, 20%) 17 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (97:119, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:56, 32%) 17 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (8:26, 13%) - rules_building_block/command_and_control_certutil_network_connection.toml (44:62, 11%) 17 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (97:119, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:57, 32%) 16 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (151:171, 10%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:100, 17%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:57, 30%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:56, 30%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:56, 30%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:57, 30%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:56, 30%) 16 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (183:203, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:100, 17%) 16 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (102:122, 15%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (50:70, 25%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:57, 30%) 16 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (131:150, 12%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:81, 22%) 16 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (175:195, 9%) - rules_building_block/persistence_creation_of_kernel_module.toml (36:56, 32%) 16 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:97, 19%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:56, 30%) 16 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:127, 14%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:57, 30%) 16 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (151:171, 10%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:69, 21%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (81:100, 16%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (107:126, 14%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (136:155, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (76:95, 18%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml (106:125, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (158:176, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:59, 24%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (100:116, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml (79:98, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:108, 16%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:68, 25%) 15 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (113:132, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (94:113, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (78:97, 16%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (101:119, 14%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (92:111, 12%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (77:93, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (112:131, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/cross-platform/execution_potential_widespread_malware_infection.toml (72:91, 20%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (44:63, 21%) 15 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (133:152, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (83:102, 18%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml (73:92, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (78:94, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml (70:89, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (94:113, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:70, 23%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (93:112, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (33:52, 34%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (94:113, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (78:97, 17%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (69:88, 20%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (104:123, 14%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (100:119, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (85:102, 15%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (80:96, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (97:113, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (77:93, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (80:99, 18%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (122:140, 12%) - rules_building_block/discovery_security_software_wmic.toml (75:94, 17%) 15 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (91:109, 14%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:56, 30%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (80:96, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (100:119, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (84:103, 17%) - rules_building_block/lateral_movement_wmic_remote.toml (49:68, 21%) 15 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (80:99, 18%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (78:97, 17%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (94:113, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:97, 18%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:65, 25%) 15 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (89:108, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:70, 23%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (136:155, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml (98:117, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml (85:105, 15%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:52, 33%) 15 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (164:183, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (71:89, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (136:155, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (120:136, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (85:104, 17%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (119:138, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:52, 33%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml (75:94, 19%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (77:93, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (89:105, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (115:131, 9%) 15 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:108, 16%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:87, 20%) 15 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (124:140, 11%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (99:115, 11%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (81:100, 17%) - rules_building_block/persistence_web_server_sus_file_creation.toml (87:106, 12%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (82:101, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (164:183, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (69:88, 20%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (92:111, 12%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (69:88, 20%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (78:97, 17%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml (100:119, 15%) - rules_building_block/credential_access_win_private_key_access.toml (72:91, 17%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (81:97, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (78:94, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (79:95, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (100:119, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/_deprecated/persistence_kernel_module_activity.toml (33:52, 33%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:56, 30%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (78:97, 17%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (90:109, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:92, 16%) 15 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (80:99, 18%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (73:89, 18%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (83:102, 18%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml (107:126, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (109:128, 13%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml (105:124, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (119:138, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (136:155, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (123:142, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:92, 16%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (95:114, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/linux/defense_evasion_disable_apparmor_attempt.toml (113:132, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (85:102, 15%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:52, 33%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (107:126, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (119:138, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (122:138, 11%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (91:110, 14%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (112:131, 14%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (95:111, 9%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (76:92, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (81:100, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (93:109, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (69:88, 20%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (144:163, 11%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:95, 15%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:111, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (84:103, 17%) - rules_building_block/defense_evasion_generic_deletion.toml (50:69, 24%) 15 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (120:139, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (92:111, 12%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (135:154, 10%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (91:107, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:107, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (76:95, 18%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (101:120, 14%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:70, 23%) 15 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (109:126, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (76:93, 16%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (165:181, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 15 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (92:111, 12%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (74:93, 20%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (85:104, 17%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml (83:102, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (87:106, 17%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_event_hub_deletion.toml (78:97, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (80:99, 18%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:54, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:136, 13%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:61, 27%) 15 duplicated lines in: - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml (80:99, 18%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (81:100, 16%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:69, 20%) 15 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (100:119, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (96:115, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:90, 16%) 15 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (89:108, 16%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:70, 23%) 15 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (91:107, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:104, 11%) 15 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:109, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (109:128, 13%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:100, 16%) 15 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:121, 14%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:53, 28%) 15 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (76:92, 17%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:67, 22%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (111:127, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:103, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (88:104, 13%) - rules_building_block/collection_outlook_email_archive.toml (53:69, 22%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (129:145, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:142, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:111, 13%) 14 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:135, 12%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:87, 18%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:132, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (161:176, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:100, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:107, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:104, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:79, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (108:124, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:51, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (107:123, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:108, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:297, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:203, 7%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (91:107, 14%) - rules_building_block/defense_evasion_services_exe_path.toml (78:94, 17%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (73:89, 19%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (100:116, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:103, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (87:101, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:104, 16%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (98:115, 13%) - rules_building_block/lateral_movement_at.toml (44:61, 20%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:132, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:106, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:103, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:49, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:106, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (105:122, 11%) - rules_building_block/discovery_net_share_discovery_winlog.toml (42:59, 23%) 14 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (101:117, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (144:160, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:118, 14%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:99, 17%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:213, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:145, 10%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:87, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (102:115, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:73, 20%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (8:24, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:56, 9%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:140, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:165, 10%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:102, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:103, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:126, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:100, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:146, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:103, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (147:164, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:67, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:107, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:126, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:111, 13%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (124:140, 9%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:159, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:77, 20%) 14 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:142, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:103, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (103:119, 13%) - rules_building_block/defense_evasion_services_exe_path.toml (78:94, 17%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:99, 17%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (120:136, 12%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:147, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:147, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:104, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:102, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:132, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (114:131, 11%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:63, 21%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:131, 12%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:121, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:132, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:102, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:107, 15%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:59, 26%) 14 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (100:116, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:51, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (110:126, 13%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:106, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (133:149, 9%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:107, 15%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:181, 8%) - rules_building_block/discovery_posh_password_policy.toml (102:115, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (136:152, 10%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (60:75, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (28:43, 19%) 14 duplicated lines in: - rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml (103:119, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (139:155, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:53, 26%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (120:133, 11%) - rules_building_block/collection_posh_compression.toml (126:139, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:132, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:131, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (131:147, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:191, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:104, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (103:119, 13%) - rules_building_block/defense_evasion_service_path_registry.toml (81:97, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:103, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:99, 17%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (116:129, 11%) - rules_building_block/discovery_posh_generic.toml (290:303, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:174, 9%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (86:100, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:104, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (84:100, 15%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:97, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:219, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:87, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:106, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (99:115, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:49, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (90:104, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:104, 16%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:123, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:253, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:77, 20%) 14 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:107, 15%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:70, 22%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (148:165, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:72, 16%) 14 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (171:187, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:54, 26%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (134:147, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (108:121, 12%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (98:114, 12%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:107, 14%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:191, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (87:101, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (103:119, 14%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:273, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:60, 20%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:146, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (119:135, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (108:121, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:73, 20%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:253, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:121, 13%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:118, 14%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:87, 18%) 14 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:110, 15%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:76, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:126, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:102, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:102, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:181, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:99, 17%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:191, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:121, 13%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:87, 18%) 14 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (71:84, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (108:121, 12%) 14 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:51, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (97:113, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:297, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:79, 20%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (114:131, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (46:63, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:147, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (99:115, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (99:116, 12%) - rules_building_block/lateral_movement_at.toml (44:61, 20%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:104, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:106, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (106:122, 11%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (101:117, 14%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:102, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (107:123, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:174, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (95:111, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:105, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:52, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (66:81, 11%) - rules_building_block/defense_evasion_write_dac_access.toml (28:43, 19%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:191, 8%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:107, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (120:137, 11%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:72, 16%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:104, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:201, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (111:127, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:147, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:201, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (96:112, 13%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:116, 14%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:79, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:215, 7%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:132, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (91:107, 14%) - rules_building_block/defense_evasion_service_path_registry.toml (81:97, 16%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (70:86, 20%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:101, 13%) 14 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:147, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:99, 17%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:121, 13%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:106, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (114:131, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (49:66, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:102, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:146, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:102, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:147, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:52, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:53, 26%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (73:89, 19%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:106, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (131:147, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (153:169, 9%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (79:95, 14%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (126:142, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:116, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:104, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (109:122, 12%) - rules_building_block/collection_posh_compression.toml (126:139, 10%) 14 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (121:137, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:97, 16%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:191, 8%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:143, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:76, 17%) 14 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (133:150, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:72, 16%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (144:160, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:95, 16%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:54, 26%) 14 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:165, 10%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:61, 25%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (74:90, 19%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (74:90, 19%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (114:130, 12%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:174, 9%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (106:122, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:126, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:132, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:140, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:147, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:143, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:159, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:121, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:131, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:77, 20%) 14 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (100:116, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:104, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:111, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:273, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:184, 7%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (202:218, 7%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:102, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:215, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:215, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (121:137, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:94, 17%) 14 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (116:129, 11%) - rules_building_block/discovery_posh_password_policy.toml (102:115, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (81:94, 16%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:73, 20%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:107, 15%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:142, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:102, 15%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (67:82, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (28:43, 19%) 14 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:52, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:105, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:103, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (62:79, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:106, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:104, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:148, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (119:135, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (66:83, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:50, 32%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:107, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:105, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (239:255, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:119, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:76, 16%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:174, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:140, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:51, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:215, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:117, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:135, 12%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:68, 23%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:132, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (78:95, 13%) - rules_building_block/lateral_movement_at.toml (44:61, 20%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:104, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (111:127, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (116:130, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (126:142, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (184:200, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:51, 31%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:106, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:143, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:174, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:103, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (102:118, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (90:104, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:131, 9%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (124:140, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (126:142, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:165, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (171:187, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (64:80, 16%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:105, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (58:75, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:102, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (109:124, 13%) - rules_building_block/lateral_movement_wmic_remote.toml (65:80, 19%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:162, 9%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:105, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:132, 12%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (56:73, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (87:103, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:113, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:164, 10%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:111, 14%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/integrations/azure/impact_resource_group_deletion.toml (93:109, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (8:24, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:56, 9%) 14 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:123, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:103, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:104, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (58:75, 12%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:126, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:73, 21%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:104, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:100, 15%) 14 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:132, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (151:167, 9%) - rules_building_block/execution_unsigned_service_executable.toml (43:59, 19%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:140, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (58:75, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:146, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:104, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:103, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:49, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (105:121, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:181, 8%) - rules_building_block/discovery_posh_generic.toml (290:303, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (106:123, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (27:44, 12%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (63:80, 11%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (115:132, 4%) - rules_building_block/collection_posh_compression.toml (22:39, 10%) 14 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:212, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:132, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (111:127, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:137, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:103, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:128, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (107:124, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:147, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:125, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:181, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:103, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:106, 16%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:49, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (105:121, 13%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:63, 20%) 14 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:113, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:102, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (99:115, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:93, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:130, 13%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (103:119, 12%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:56, 28%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:213, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:76, 19%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (114:130, 12%) - rules_building_block/defense_evasion_services_exe_path.toml (61:77, 17%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:143, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:133, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (62:79, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:111, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (62:79, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:132, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (23:37, 12%) 14 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:141, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:215, 7%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:103, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:113, 14%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:179, 9%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:147, 11%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:133, 12%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (110:126, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:90, 15%) 14 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:159, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:69, 18%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:159, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:100, 15%) 14 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (62:79, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (26:43, 13%) 14 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:145, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:107, 15%) 14 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (122:138, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (76:92, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:142, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:100, 15%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/discovery_posh_password_policy.toml (106:122, 12%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (65:82, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (21:38, 15%) 14 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:44, 37%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:146, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:49, 33%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:123, 11%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (106:123, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:161, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:102, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:130, 12%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:354, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:140, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:138, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:163, 10%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (57:74, 12%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (22:39, 15%) 14 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:134, 12%) - rules_building_block/collection_posh_compression.toml (130:146, 10%) 14 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:134, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:109, 15%) 14 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (111:127, 10%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:80, 20%) 14 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:125, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:118, 13%) 14 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:103, 16%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 14 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (58:75, 12%) - rules_building_block/discovery_posh_generic.toml (22:39, 5%) 14 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:128, 12%) - rules_building_block/persistence_transport_agent_exchange.toml (112:128, 12%) 14 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (57:74, 12%) - rules_building_block/discovery_posh_password_policy.toml (22:39, 12%) 14 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:124, 13%) - rules_building_block/discovery_posh_generic.toml (294:310, 5%) 13 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (99:112, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (99:112, 8%) 13 duplicated lines in: - rules/windows/discovery_command_system_account.toml (49:62, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:60, 13%) 13 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (87:100, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (85:98, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:111, 12%) - rules_building_block/lateral_movement_at.toml (47:61, 18%) 13 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (105:119, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:72, 15%) 13 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (89:102, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:79, 16%) - rules_building_block/lateral_movement_at.toml (47:61, 18%) 13 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (80:93, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (87:99, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:131, 8%) 13 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (95:108, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (91:104, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (89:102, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (86:99, 11%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (123:139, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:72, 15%) 13 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (87:100, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (101:114, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (81:93, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:131, 8%) 13 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (86:98, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:131, 8%) 13 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:162, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:76, 15%) 13 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (94:107, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:130, 8%) 13 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:134, 10%) - rules_building_block/lateral_movement_at.toml (47:61, 18%) 12 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (30:44, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (16:30, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (128:142, 10%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (29:43, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (55:67, 14%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (116:130, 10%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (30:44, 10%) 12 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (138:152, 9%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:95, 12%) 12 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (34:48, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (24:38, 13%) 12 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (78:92, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (70:84, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (145:159, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (60:74, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (101:116, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (62:76, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (90:105, 13%) - rules_building_block/defense_evasion_download_susp_extension.toml (58:73, 14%) 12 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (126:140, 9%) - rules_building_block/credential_access_win_private_key_access.toml (77:91, 14%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:76, 16%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (30:44, 10%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/collection_posh_compression.toml (132:146, 9%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (124:138, 10%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (119:133, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (76:90, 12%) 12 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (64:76, 7%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (122:136, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (24:38, 13%) 12 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (60:72, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (140:154, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:79, 16%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (29:43, 11%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (30:44, 10%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/discovery_posh_password_policy.toml (25:39, 11%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:161, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:57, 20%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/discovery_posh_password_policy.toml (108:122, 11%) 12 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (131:143, 9%) - rules_building_block/discovery_generic_account_groups.toml (82:94, 12%) 12 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (59:71, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (91:106, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:56, 19%) 12 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (24:36, 7%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/collection_posh_compression.toml (25:39, 9%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (26:37, 10%) 12 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (101:116, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (61:75, 17%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (25:39, 12%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (93:107, 12%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (30:44, 10%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (25:39, 12%) 12 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (75:86, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:56, 16%) 12 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (144:158, 9%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:63, 17%) 12 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (31:45, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (95:106, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (99:110, 7%) 12 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (88:102, 12%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (122:135, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (29:43, 11%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/collection_posh_compression.toml (25:39, 9%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (127:141, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (53:65, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (150:164, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (76:90, 12%) 12 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (29:43, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (26:37, 10%) 12 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (131:143, 9%) - rules_building_block/discovery_posh_generic.toml (244:256, 4%) 12 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (110:125, 11%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (50:64, 20%) 12 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (307:320, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (45:58, 19%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (146:160, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:63, 17%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/discovery_posh_generic.toml (296:310, 4%) 12 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (73:87, 16%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (57:69, 9%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (129:143, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (26:37, 10%) 12 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (115:129, 11%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (54:66, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:59, 12%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (101:116, 11%) - rules_building_block/discovery_linux_system_information_discovery.toml (38:53, 25%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (90:105, 13%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:71, 18%) 12 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (101:115, 11%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:95, 12%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (24:38, 13%) 12 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (115:129, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (76:90, 12%) 12 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (100:112, 9%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:59, 12%) 12 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (62:74, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/collection_posh_compression.toml (25:39, 9%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (29:43, 11%) 12 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (110:124, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/discovery_posh_generic.toml (25:39, 4%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (104:118, 11%) 12 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (101:115, 12%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (107:121, 11%) 12 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:129, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:78, 17%) 12 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (43:57, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (26:37, 10%) 12 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (107:121, 6%) - rules_building_block/discovery_posh_generic.toml (25:39, 4%) 12 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (81:96, 14%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:71, 18%) 12 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (165:179, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/impact_backup_file_deletion.toml (63:75, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (16:30, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/discovery_posh_generic.toml (25:39, 4%) 12 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (35:49, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (35:49, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (105:116, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (99:110, 7%) 12 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (69:84, 16%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (34:49, 24%) 12 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (117:129, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:59, 12%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (24:38, 13%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:39, 17%) 12 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (16:30, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (8:22, 8%) 12 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (63:75, 10%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (96:110, 12%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (128:142, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (22:36, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:39, 16%) 12 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (94:107, 13%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (49:63, 17%) 12 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (129:143, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (89:103, 10%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (25:39, 12%) 12 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (90:105, 13%) - rules_building_block/defense_evasion_download_susp_extension.toml (58:73, 14%) 12 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (127:140, 9%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (48:62, 22%) 12 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (69:84, 16%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (35:50, 24%) 12 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (101:115, 12%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (63:77, 17%) 12 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (109:123, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (29:43, 11%) 12 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (84:98, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (27:39, 11%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (161:175, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (55:69, 19%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:38, 16%) 12 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (90:105, 13%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (56:71, 18%) 12 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (58:70, 14%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:59, 12%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/collection_posh_compression.toml (25:39, 9%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/discovery_posh_generic.toml (25:39, 4%) 12 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (90:105, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:56, 19%) 12 duplicated lines in: - rules/windows/discovery_admin_recon.toml (113:125, 10%) - rules_building_block/discovery_posh_generic.toml (244:256, 4%) 12 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (95:109, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:70, 19%) 12 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (109:120, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (99:110, 7%) 12 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (81:96, 14%) - rules_building_block/defense_evasion_download_susp_extension.toml (58:73, 14%) 12 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (76:90, 11%) - rules_building_block/discovery_posh_password_policy.toml (25:39, 11%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (25:39, 12%) 12 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (28:40, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:42, 16%) 12 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (69:84, 16%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (34:49, 24%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (95:109, 13%) 12 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (157:171, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (48:62, 22%) 12 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (95:109, 13%) - rules_building_block/persistence_transport_agent_exchange.toml (114:128, 10%) 12 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (58:70, 11%) - rules_building_block/discovery_net_view.toml (50:62, 12%) 12 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (121:135, 7%) - rules_building_block/discovery_posh_password_policy.toml (25:39, 11%) 12 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (62:76, 9%) - rules_building_block/discovery_posh_password_policy.toml (25:39, 11%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:116, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (128:140, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (131:143, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (61:73, 15%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (91:104, 11%) - rules_building_block/defense_evasion_services_exe_path.toml (61:74, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:139, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (93:104, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:149, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:84, 13%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (120:134, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:130, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:58, 21%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:67, 18%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (152:164, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:102, 11%) 11 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (131:144, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (90:102, 10%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (122:135, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:140, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:122, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:82, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (101:115, 9%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_aws_lambda_function_updated.toml (56:70, 17%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (63:76, 15%) 11 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (85:99, 13%) - rules_building_block/execution_wmi_wbemtest.toml (44:58, 21%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:122, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (93:106, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (103:116, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (61:74, 13%) 11 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (70:84, 14%) - rules_building_block/execution_github_new_event_action_for_pat.toml (35:49, 22%) 11 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (87:97, 9%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (39:53, 23%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (158:170, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:52, 8%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (139:151, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:102, 11%) 11 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (108:120, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (95:107, 10%) 11 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (91:104, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (276:288, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (55:67, 13%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (158:170, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:144, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (35:49, 22%) 11 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (121:134, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (78:90, 12%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:108, 12%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:71, 16%) 11 duplicated lines in: - rules/windows/persistence_services_registry.toml (111:124, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (106:118, 9%) - rules_building_block/collection_outlook_email_archive.toml (50:62, 17%) 11 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (83:97, 13%) - rules_building_block/discovery_of_domain_groups.toml (41:55, 22%) 11 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:98, 13%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:71, 16%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (96:110, 11%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (131:144, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (93:106, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (103:116, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (64:77, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:109, 9%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:67, 18%) 11 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:123, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml (85:97, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (122:135, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:123, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:181, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (82:92, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:53, 9%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (94:106, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:97, 9%) 11 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (121:134, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (91:103, 10%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (171:184, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:53, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:53, 9%) 11 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (123:137, 9%) - rules_building_block/lateral_movement_at.toml (44:58, 15%) 11 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (106:120, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (111:125, 10%) - rules_building_block/discovery_generic_process_discovery.toml (51:65, 18%) 11 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:149, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:87, 12%) 11 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (102:116, 10%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (148:161, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (45:58, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:60, 12%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (35:49, 22%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (142:152, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:179, 5%) 11 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (80:92, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (139:152, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:51, 20%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (119:132, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (69:81, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (45:58, 12%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:60, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (93:107, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (90:102, 10%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (123:133, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:55, 15%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (91:103, 10%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (91:103, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (44:57, 13%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (32:45, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:137, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (81:95, 13%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (51:64, 18%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:150, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:71, 16%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (62:75, 15%) 11 duplicated lines in: - rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml (31:45, 28%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:114, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (62:75, 15%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:122, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (136:146, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (250:260, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:66, 15%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (91:104, 11%) - rules_building_block/defense_evasion_service_path_registry.toml (64:77, 12%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (36:50, 22%) 11 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:138, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (158:170, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (136:148, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:116, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:71, 16%) 11 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:144, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (97:111, 11%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:61, 20%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_github_repo_created.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (97:109, 9%) - rules_building_block/defense_evasion_generic_deletion.toml (50:62, 17%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (63:76, 15%) 11 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:140, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (82:96, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:69, 13%) 11 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (168:181, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (63:76, 15%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (92:104, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (91:104, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml (101:115, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (127:137, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (134:144, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:113, 9%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (35:49, 22%) 11 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:89, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:108, 10%) 11 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:108, 12%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (102:114, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/lateral_movement_via_wsus_update.toml (90:104, 12%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (102:115, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (91:104, 11%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (158:170, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (116:126, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:111, 10%) 11 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (137:147, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:98, 13%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/windows/persistence_service_windows_service_winlog.toml (131:144, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:124, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (74:84, 13%) 11 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:52, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:55, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (104:117, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (155:167, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (70:84, 14%) - rules_building_block/execution_github_repo_created.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (63:76, 15%) 11 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (118:130, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:62, 14%) 11 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (121:134, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:77, 12%) 11 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (139:152, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:49, 24%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (166:180, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:138, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:114, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (100:112, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_file_writes.toml (54:68, 18%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:253, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:87, 12%) 11 duplicated lines in: - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml (55:67, 15%) - rules_building_block/credential_access_win_private_key_access.toml (72:84, 13%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (91:103, 10%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:46, 21%) 11 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (88:100, 12%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_github_new_event_action_for_pat.toml (35:49, 22%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (62:75, 15%) 11 duplicated lines in: - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml (69:83, 15%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:135, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (44:57, 13%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:53, 10%) 11 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (112:124, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (134:146, 7%) 11 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:45, 28%) - rules_building_block/discovery_generic_process_discovery.toml (51:65, 18%) 11 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:116, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:113, 9%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (114:127, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (148:161, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (62:75, 15%) 11 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (131:144, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:140, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (139:151, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (55:67, 13%) 11 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (143:153, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_repo_created.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (110:122, 8%) - rules_building_block/discovery_net_view.toml (99:111, 11%) 11 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (81:95, 13%) - rules_building_block/discovery_generic_process_discovery.toml (51:65, 18%) 11 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (118:130, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:93, 12%) 11 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (121:134, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:74, 13%) 11 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:138, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (81:95, 13%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (62:75, 15%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (35:49, 22%) 11 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (93:105, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:97, 9%) 11 duplicated lines in: - rules/network/lateral_movement_dns_server_overflow.toml (77:91, 14%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (152:164, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (111:121, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (90:102, 10%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (91:103, 10%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (106:120, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:69, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:179, 5%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:150, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:73, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (106:118, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:83, 11%) 11 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (119:132, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml (45:59, 20%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:114, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:99, 12%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (98:110, 9%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (108:118, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:113, 9%) 11 duplicated lines in: - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml (97:111, 11%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (89:103, 12%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:122, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:99, 12%) 11 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:51, 11%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:53, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:54, 18%) 11 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (65:79, 17%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (36:50, 22%) 11 duplicated lines in: - rules/network/command_and_control_download_rar_powershell_from_internet.toml (114:128, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:69, 13%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (168:182, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_linux_system_information_discovery.toml (39:53, 23%) 11 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (83:97, 13%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (77:91, 14%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (133:147, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/windows/persistence_services_registry.toml (111:124, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:122, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:54, 20%) 11 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (78:92, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:178, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:111, 10%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:253, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:84, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (104:117, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (131:143, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:57, 19%) 11 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (127:140, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (148:162, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (71:81, 13%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:113, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:123, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (111:121, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:113, 9%) 11 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (83:93, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:53, 9%) 11 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (171:184, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:94, 12%) 11 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (92:104, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (87:97, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:55, 15%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (97:111, 8%) - rules_building_block/execution_wmi_wbemtest.toml (44:58, 21%) 11 duplicated lines in: - rules/_deprecated/discovery_query_registry_via_reg.toml (29:43, 29%) - rules_building_block/discovery_generic_registry_query.toml (54:68, 16%) 11 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (136:149, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:205, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:141, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:123, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:99, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:164, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_disabled.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (39:53, 23%) 11 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (138:152, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (46:60, 16%) 11 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:45, 28%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (51:64, 18%) 11 duplicated lines in: - rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml (168:181, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_linux_system_information_discovery.toml (39:53, 23%) 11 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (129:141, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:127, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (82:96, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:96, 13%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:123, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:89, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:97, 11%) 11 duplicated lines in: - rules/windows/lateral_movement_unusual_dns_service_children.toml (101:115, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (76:90, 11%) 11 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (97:109, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:53, 18%) 11 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:144, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:71, 16%) 11 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (153:163, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (92:106, 12%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:61, 20%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_user_blocked_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (70:84, 14%) - rules_building_block/execution_aws_lambda_function_updated.toml (56:70, 17%) 11 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (146:158, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:83, 11%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_getconf_execution.toml (40:53, 22%) 11 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:140, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:122, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:101, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml (87:99, 12%) - rules_building_block/persistence_startup_folder_lnk.toml (46:58, 17%) 11 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (93:107, 11%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:61, 20%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (166:180, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:69, 13%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (124:138, 9%) - rules_building_block/lateral_movement_at.toml (44:58, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:177, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:57, 18%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (114:127, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (78:91, 13%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (102:116, 10%) - rules_building_block/discovery_windows_system_information_discovery.toml (60:74, 16%) 11 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (102:116, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (60:73, 14%) 11 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:148, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (146:160, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:129, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:82, 11%) 11 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:158, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:55, 15%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (81:95, 13%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (90:102, 10%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:47, 20%) 11 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:145, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml (78:91, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:138, 8%) 11 duplicated lines in: - rules/network/command_and_control_download_rar_powershell_from_internet.toml (114:128, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:175, 7%) 11 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:134, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:118, 9%) 11 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (168:182, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (55:69, 13%) 11 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:114, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:67, 16%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:222, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:87, 12%) 11 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (108:122, 10%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (42:56, 22%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (84:98, 13%) - rules_building_block/impact_github_member_removed_from_organization.toml (33:47, 26%) 11 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (91:105, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:64, 13%) 11 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (75:85, 11%) - rules_building_block/discovery_capnetraw_capability.toml (45:55, 14%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_github_new_event_action_for_pat.toml (35:49, 22%) 11 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (90:104, 11%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:80, 15%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (63:76, 15%) 11 duplicated lines in: - rules/integrations/gcp/impact_gcp_service_account_deleted.toml (81:95, 14%) - rules_building_block/impact_github_pat_access_revoked.toml (33:47, 26%) 11 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (83:97, 13%) - rules_building_block/execution_aws_lambda_function_updated.toml (56:70, 17%) 11 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:121, 10%) - rules_building_block/discovery_linux_system_information_discovery.toml (39:53, 23%) 11 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (159:173, 7%) - rules_building_block/lateral_movement_at.toml (44:58, 15%) 11 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:124, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (77:87, 12%) 11 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:222, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:84, 13%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (162:173, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (192:203, 5%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (102:113, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (109:118, 9%) - rules_building_block/persistence_startup_folder_lnk.toml (49:58, 16%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (110:121, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (194:205, 5%) - rules_building_block/discovery_net_view.toml (109:120, 10%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:152, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:86, 11%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml (83:92, 12%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml (72:81, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (124:133, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (175:186, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (105:116, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:121, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (85:94, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (71:81, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (194:205, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (57:68, 16%) 10 duplicated lines in: - rules/windows/initial_access_execution_via_office_addins.toml (126:135, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (103:114, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/persistence_via_bits_job_notify_command.toml (97:108, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (82:93, 12%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (21:31, 10%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:111, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:116, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (181:192, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (130:141, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:161, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (112:121, 7%) - rules_building_block/discovery_internet_capabilities.toml (42:51, 17%) 10 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (90:101, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:135, 8%) 10 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:152, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:83, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (81:91, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (124:133, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml (81:90, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:81, 14%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (70:80, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (89:98, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:130, 6%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (120:131, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:142, 7%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (100:111, 7%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:126, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (120:129, 6%) - rules_building_block/lateral_movement_at.toml (59:68, 14%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (192:203, 5%) 10 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:106, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:88, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (126:135, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:129, 8%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml (92:103, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (126:137, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:69, 12%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (130:141, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (77:87, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (125:136, 8%) - rules_building_block/discovery_system_network_connections.toml (40:51, 22%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (22:32, 9%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (109:120, 9%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:90, 11%) 10 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:113, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:73, 11%) 10 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml (74:85, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:76, 12%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (174:185, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (106:115, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml (110:120, 9%) - rules_building_block/discovery_of_domain_groups.toml (44:55, 20%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:142, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (131:142, 8%) - rules_building_block/lateral_movement_at.toml (47:58, 14%) 10 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (122:131, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml (90:101, 12%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:69, 12%) 10 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (97:106, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (68:77, 8%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml (89:100, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/initial_access_rdp_file_mail_attachment.toml (99:108, 10%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (23:35, 14%) 10 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (110:119, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:112, 8%) 10 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (44:56, 12%) - rules_building_block/discovery_net_view.toml (32:44, 10%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (111:122, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (110:121, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (57:67, 10%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (102:113, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (88:99, 12%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (89:99, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (84:94, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (113:124, 9%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (97:106, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:73, 14%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml (94:103, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (175:186, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:114, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:116, 8%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:117, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:84, 12%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:73, 14%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml (139:148, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:104, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml (76:87, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (137:146, 6%) - rules_building_block/lateral_movement_at.toml (59:68, 14%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:87, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:53, 16%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:116, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:79, 10%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (70:80, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (75:85, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml (95:104, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:214, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (77:88, 12%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:135, 8%) 10 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:113, 10%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (103:114, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:104, 9%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (82:92, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (75:85, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml (73:84, 14%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:76, 12%) 10 duplicated lines in: - rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml (105:114, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (113:123, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:107, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (96:107, 11%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (110:121, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (23:35, 13%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (174:185, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (128:139, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml (75:84, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (93:102, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (97:106, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (123:134, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (152:163, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (99:110, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:157, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:71, 15%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (180:189, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:93, 10%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (117:128, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (97:106, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:94, 9%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_process.toml (133:144, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (110:121, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (49:60, 19%) - rules_building_block/discovery_capnetraw_capability.toml (70:81, 12%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (103:112, 10%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (84:94, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml (103:112, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml (90:101, 12%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml (91:100, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (71:81, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (116:125, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:65, 13%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:113, 10%) - rules_building_block/discovery_generic_process_discovery.toml (54:65, 16%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (109:120, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (111:122, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (54:64, 12%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (135:144, 5%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (162:173, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (68:79, 14%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (63:73, 10%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (106:115, 9%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (108:119, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (105:116, 10%) - rules_building_block/discovery_generic_process_discovery.toml (54:65, 16%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (70:80, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (124:133, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:90, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (124:133, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:73, 11%) 10 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (92:101, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:130, 6%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:104, 11%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:71, 15%) 10 duplicated lines in: - rules/linux/impact_process_kill_threshold.toml (94:105, 11%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (120:131, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:125, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:83, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (106:115, 9%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (21:31, 11%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml (95:104, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (181:192, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (96:107, 11%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (125:136, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:135, 8%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (99:110, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:174, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:71, 15%) 10 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (152:163, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:69, 12%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (110:121, 9%) - rules_building_block/impact_github_member_removed_from_organization.toml (36:47, 24%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (126:137, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (164:175, 6%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (142:153, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (57:68, 16%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (142:153, 7%) - rules_building_block/discovery_net_view.toml (109:120, 10%) 10 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:92, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:116, 8%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (109:120, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:112, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (88:99, 12%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (175:186, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:105, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (110:121, 9%) - rules_building_block/impact_github_user_blocked_from_organization.toml (36:47, 24%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (181:192, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (96:107, 11%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:136, 8%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:87, 12%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (171:180, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:70, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:206, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_files.toml (98:109, 10%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:268, 3%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:117, 10%) - rules_building_block/lateral_movement_at.toml (47:58, 14%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (124:133, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:87, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (124:133, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:70, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (104:113, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:94, 9%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (176:187, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (89:99, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (165:174, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (63:73, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:125, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:86, 11%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:136, 8%) - rules_building_block/discovery_generic_process_discovery.toml (54:65, 16%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:159, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:71, 15%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (198:209, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (149:158, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (103:114, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:136, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:46, 25%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:102, 10%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (107:116, 9%) - rules_building_block/lateral_movement_at.toml (59:68, 14%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (109:120, 9%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (107:116, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:143, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:116, 8%) 10 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (71:81, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (125:136, 8%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:126, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (28:38, 11%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (110:121, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (31:41, 9%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:116, 9%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:176, 5%) 10 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (30:40, 7%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (75:85, 8%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (111:120, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:97, 11%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:157, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/execution_mofcomp.toml (91:102, 9%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (110:119, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (108:117, 8%) 10 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (174:185, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:109, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (100:111, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:119, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:123, 8%) 10 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (111:122, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:206, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (89:99, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (162:173, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (100:111, 10%) 10 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:114, 9%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (125:136, 8%) - rules_building_block/execution_wmi_wbemtest.toml (47:58, 19%) 10 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (163:174, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:64, 12%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (114:125, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:89, 13%) - rules_building_block/discovery_internet_capabilities.toml (55:65, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (34:44, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml (100:109, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (154:163, 6%) - rules_building_block/lateral_movement_at.toml (59:68, 14%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (99:110, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:206, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:179, 5%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (209:220, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:135, 8%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:104, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (112:121, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (89:99, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:106, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:174, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:69, 13%) 10 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (130:139, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:138, 7%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:106, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml (79:88, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:194, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:161, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:71, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:126, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (110:121, 9%) - rules_building_block/impact_github_pat_access_revoked.toml (36:47, 24%) 10 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:158, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:55, 14%) 10 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (112:121, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:73, 14%) 10 duplicated lines in: - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml (82:93, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:113, 9%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (44:56, 12%) - rules_building_block/discovery_security_software_wmic.toml (41:53, 11%) 10 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:122, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (130:141, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:129, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:191, 5%) - rules_building_block/discovery_generic_account_groups.toml (65:74, 10%) 10 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:134, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:174, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:73, 11%) 10 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:191, 5%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (103:114, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:89, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (110:121, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (62:73, 13%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (126:135, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (105:116, 10%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:64, 16%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:104, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (108:119, 9%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (63:73, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:128, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (60:70, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (93:103, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml (90:101, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:133, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml (82:93, 13%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (102:113, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:140, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:54, 18%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (128:139, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:126, 8%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (30:40, 13%) 10 duplicated lines in: - rules/windows/persistence_services_registry.toml (128:139, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (81:92, 12%) - rules_building_block/defense_evasion_service_disabled_registry.toml (61:72, 15%) 10 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:97, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:142, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (106:115, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (51:61, 8%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (8:19, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (40:51, 6%) 10 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (84:95, 12%) - rules_building_block/discovery_hosts_file_access.toml (43:54, 20%) 10 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:152, 7%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (64:75, 14%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (68:79, 14%) 10 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:107, 10%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/discovery_posh_password_policy.toml (106:115, 9%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (114:125, 9%) - rules_building_block/defense_evasion_services_exe_path.toml (49:60, 12%) 10 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:147, 7%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:181, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (135:144, 5%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:54, 14%) 10 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (113:124, 9%) - rules_building_block/discovery_security_software_wmic.toml (95:106, 11%) 10 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:114, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (117:128, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (58:69, 12%) 10 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (125:136, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (100:109, 9%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:83, 11%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (65:76, 13%) 10 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:132, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:131, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml (91:102, 11%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (79:90, 10%) 10 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (21:30, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (24:36, 13%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:90, 12%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:142, 7%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:206, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:82, 10%) 10 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (88:99, 12%) - rules_building_block/lateral_movement_wmic_remote.toml (69:80, 14%) 10 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (92:102, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:206, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:54, 17%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml (95:104, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_getconf_execution.toml (42:53, 20%) 10 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:118, 10%) - rules_building_block/lateral_movement_at.toml (47:58, 14%) 10 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:126, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (63:74, 14%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:104, 9%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:141, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:116, 8%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:137, 7%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (120:130, 5%) - rules_building_block/discovery_capnetraw_capability.toml (33:43, 12%) 10 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:104, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/linux/privilege_escalation_suspicious_passwd_file_write.toml (32:42, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (33:43, 13%) 10 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (108:117, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (114:125, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (90:100, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:81, 13%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:67, 16%) 10 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml (78:87, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:94, 8%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:121, 8%) 10 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (88:97, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:86, 12%) 10 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:101, 11%) - rules_building_block/discovery_linux_system_information_discovery.toml (42:53, 21%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:150, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:111, 9%) 10 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:181, 5%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (120:131, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (52:63, 11%) 10 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:110, 8%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (26:36, 10%) - rules_building_block/discovery_net_view.toml (50:60, 10%) 10 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (79:89, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (29:39, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (31:41, 8%) 10 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (44:54, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:127, 6%) 10 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:114, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:100, 10%) 10 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:132, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:102, 11%) 10 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (99:108, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:94, 9%) 10 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:112, 10%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:61, 18%) 10 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:142, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 10 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:126, 8%) - rules_building_block/discovery_posh_generic.toml (294:303, 3%) 10 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (111:122, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (100:111, 10%) 10 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (108:119, 9%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:60, 15%) 10 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:113, 6%) - rules_building_block/collection_posh_compression.toml (130:139, 7%) 10 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:84, 11%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:123, 8%) 9 duplicated lines in: - rules/windows/discovery_admin_recon.toml (49:58, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:53, 8%) 9 duplicated lines in: - rules/windows/credential_access_adidns_wildcard.toml (66:75, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:94, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (166:176, 4%) 9 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (37:46, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (58:67, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/discovery_admin_recon.toml (49:58, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:45, 9%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (85:94, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:53, 10%) - rules_building_block/discovery_security_software_wmic.toml (45:54, 10%) 9 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (92:101, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/credential_access_spn_attribute_modified.toml (66:75, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (121:131, 7%) - rules_building_block/discovery_generic_account_groups.toml (76:86, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (78:87, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/linux/defense_evasion_acl_modification_via_setfacl.toml (84:94, 10%) - rules_building_block/defense_evasion_file_permission_modification.toml (44:54, 15%) 9 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (76:85, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (123:132, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (79:88, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:57, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:53, 8%) 9 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (128:137, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:117, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:89, 9%) 9 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (55:64, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (66:75, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (55:64, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:53, 8%) 9 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (88:97, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:94, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (41:51, 16%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:120, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (42:52, 13%) 9 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (70:79, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (121:131, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (56:66, 12%) 9 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (55:64, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:45, 9%) 9 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (81:90, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (72:81, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:120, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (41:51, 16%) 9 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (79:88, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (74:83, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (88:96, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:94, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (60:70, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:120, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (69:79, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:120, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (166:176, 4%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (111:122, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (12:22, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:26, 6%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (106:116, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (42:52, 13%) 9 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (57:66, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (65:74, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (90:99, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:94, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (69:79, 9%) 9 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (74:83, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/credential_access_shadow_credentials.toml (67:76, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (69:78, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (86:95, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (103:113, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:59, 12%) 9 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (58:66, 9%) - rules_building_block/discovery_net_view.toml (52:60, 9%) 9 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (75:84, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (123:134, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (125:137, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:79, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (95:103, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 9 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (77:86, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (92:100, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 9 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (93:101, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (96:105, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (76:86, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (74:83, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:120, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (60:70, 12%) 9 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (68:77, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (63:72, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (110:121, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (56:67, 14%) 9 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (81:90, 5%) - rules_building_block/discovery_security_software_wmic.toml (45:54, 10%) 9 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (92:101, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (58:67, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (85:94, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (51:60, 10%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:94, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (42:52, 13%) 9 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (81:91, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:59, 12%) 9 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (76:86, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (76:85, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:57, 9%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:45, 9%) 9 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (162:170, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (73:81, 8%) 9 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (81:90, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (67:77, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (119:129, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (44:54, 15%) 9 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (47:55, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (49:57, 12%) 9 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (92:101, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (106:116, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (41:51, 16%) 9 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (93:102, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (68:77, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (82:91, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (44:53, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (74:83, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (49:58, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (76:85, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (73:82, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:112, 5%) 9 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (81:91, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:90, 9%) 9 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (83:91, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:127, 5%) 9 duplicated lines in: - rules/windows/privilege_escalation_group_policy_privileged_groups.toml (54:63, 10%) - rules_building_block/defense_evasion_write_dac_access.toml (31:40, 12%) 9 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (106:116, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (60:70, 12%) 9 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (35:43, 9%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (64:73, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 9 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (44:53, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:126, 5%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (123:132, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (78:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (129:138, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (68:78, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:72, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:29, 12%) 8 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (78:87, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (53:60, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (50:58, 13%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (70:79, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (55:63, 7%) - rules_building_block/discovery_security_software_wmic.toml (45:53, 9%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (147:154, 4%) - rules_building_block/discovery_posh_generic.toml (244:251, 2%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (134:141, 4%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (111:120, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (106:115, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (61:69, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (37:44, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (66:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:115, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (71:78, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (90:99, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (103:112, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (67:74, 7%) - rules_building_block/discovery_security_software_wmic.toml (57:64, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:121, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (107:116, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (121:130, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (54:63, 9%) 8 duplicated lines in: - rules/integrations/azure/credential_access_key_vault_modified.toml (78:87, 10%) - rules_building_block/credential_access_win_private_key_access.toml (72:81, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:87, 10%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (82:90, 9%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (104:111, 7%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:147, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (96:105, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:89, 8%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (133:143, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (136:143, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (137:144, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (120:130, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (95:104, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (87:96, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (111:120, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (81:89, 4%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (100:109, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (118:125, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:69, 11%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:91, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (76:85, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (131:140, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (91:100, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (65:74, 11%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (87:96, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (106:116, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (58:66, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml (83:92, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (87:96, 10%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (60:67, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (87:96, 10%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (183:193, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (118:126, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (84:91, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (85:93, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (76:83, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (111:120, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (92:101, 9%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (103:111, 8%) - rules_building_block/discovery_posh_generic.toml (224:232, 2%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (103:112, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml (81:92, 10%) - rules_building_block/discovery_capnetraw_capability.toml (67:78, 10%) 8 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (92:101, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (94:103, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (78:87, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (61:68, 7%) - rules_building_block/discovery_security_software_wmic.toml (57:64, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (176:185, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (120:128, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:63, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:32, 11%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (49:57, 7%) - rules_building_block/discovery_security_software_wmic.toml (45:53, 9%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (65:72, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (165:174, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (67:76, 11%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (160:169, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (88:97, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (78:87, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (180:189, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (45:54, 12%) 8 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (96:105, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:89, 8%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/_deprecated/discovery_file_dir_discovery.toml (85:94, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (95:104, 7%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (131:141, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:92, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (95:102, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (60:68, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (98:107, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (134:141, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (139:148, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (60:67, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (44:53, 17%) 8 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (149:159, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (133:142, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:60, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:96, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (68:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (100:109, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (91:101, 8%) - rules_building_block/discovery_net_view.toml (89:99, 8%) 8 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (57:64, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (152:162, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:132, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (59:66, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (79:88, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (96:105, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml (110:120, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (60:67, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (64:72, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (69:76, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/collection_posh_compression.toml (132:139, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:132, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (72:81, 10%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (123:133, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (90:99, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:87, 10%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (121:129, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (82:89, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:75, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:32, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:96, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (107:116, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (79:86, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (27:35, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (29:37, 15%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (82:91, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (126:134, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (58:67, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (64:71, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (66:73, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (82:92, 10%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (91:100, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (83:92, 9%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (105:114, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (55:63, 7%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:101, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:121, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (155:164, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (85:94, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (77:84, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (81:88, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (77:87, 11%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (107:116, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (104:113, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (125:134, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (94:104, 9%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (91:100, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:60, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (76:83, 6%) - rules_building_block/discovery_net_view.toml (57:64, 8%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (123:132, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (100:109, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:60, 11%) 8 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:113, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (151:160, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (58:66, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:90, 9%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (100:109, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (131:140, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (137:144, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (55:62, 10%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (65:74, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (106:114, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:173, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (73:82, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/cross-platform/credential_access_forced_authentication_pipes.toml (31:38, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:152, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (139:149, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (72:80, 11%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (57:65, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (129:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (92:99, 6%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (120:128, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:107, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (88:97, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (81:88, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (131:139, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:96, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (65:73, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (100:108, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (71:80, 11%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:53, 15%) 8 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (113:121, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml (85:94, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (107:116, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (74:81, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (55:62, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (92:100, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (129:138, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (51:60, 11%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (77:86, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:96, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (141:148, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml (99:108, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (74:83, 6%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (123:132, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (114:121, 7%) 8 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:86, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (152:162, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (134:141, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml (98:108, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (134:143, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (89:99, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (137:146, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (84:91, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (114:124, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (84:93, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (56:64, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (118:127, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml (99:108, 8%) - rules_building_block/collection_outlook_email_archive.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (111:120, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (63:70, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (84:91, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:115, 7%) 8 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (99:109, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (63:70, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (86:95, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (88:95, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:147, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:72, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (28:35, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (86:95, 10%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (86:95, 10%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (101:110, 8%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (72:79, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (112:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (68:77, 11%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (73:82, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (101:110, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (131:140, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (109:117, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/ml/ml_spike_in_traffic_to_a_country.toml (48:55, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (107:116, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (75:82, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml (109:119, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (107:116, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (118:127, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (152:161, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:50, 13%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (116:123, 7%) 8 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (90:99, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (92:101, 9%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (72:79, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:107, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (7:16, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (7:16, 5%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (105:114, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (82:89, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml (87:96, 9%) - rules_building_block/collection_outlook_email_archive.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (93:102, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (83:92, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (66:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (123:132, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:94, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (113:121, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (96:105, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (89:98, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (74:81, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml (87:96, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (116:123, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (76:83, 8%) 8 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (109:119, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:90, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (100:109, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (83:92, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (80:87, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_getconf_execution.toml (45:53, 16%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (65:74, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (74:82, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (118:127, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (99:108, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml (82:91, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (71:78, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:32, 13%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:56, 8%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (147:154, 4%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (62:69, 11%) 8 duplicated lines in: - rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml (99:108, 8%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (41:50, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (116:126, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (104:112, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (116:123, 7%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (161:168, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (86:93, 8%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (88:98, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (85:94, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml (87:96, 8%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (68:76, 11%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (104:111, 7%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (181:191, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (104:113, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (37:44, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (70:77, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (82:90, 9%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml (79:88, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (116:126, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (48:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:57, 6%) 8 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (116:126, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (91:100, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (81:88, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml (72:81, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (71:78, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (87:94, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml (48:56, 8%) - rules_building_block/discovery_security_software_wmic.toml (45:53, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (96:105, 9%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (47:56, 16%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (136:146, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:96, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:113, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:115, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/collection_posh_compression.toml (132:139, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (89:98, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (134:141, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (128:138, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (94:103, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml (90:98, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml (126:136, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (100:110, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (65:72, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (68:75, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (136:146, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (66:73, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (121:129, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (146:155, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (60:67, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (108:117, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:90, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (67:75, 11%) 8 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:96, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (50:58, 13%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (102:111, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:121, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (83:90, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:57, 6%) 8 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (91:101, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (66:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (82:89, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (120:129, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (61:70, 11%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (53:60, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (126:136, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (104:112, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (152:159, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:54, 6%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (47:54, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml (89:98, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml (97:106, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml (45:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (92:101, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml (109:119, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (71:78, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (118:125, 7%) - rules_building_block/discovery_generic_account_groups.toml (82:89, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (83:91, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (37:44, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/discovery_posh_password_policy.toml (108:115, 7%) 8 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (95:104, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (147:154, 4%) - rules_building_block/discovery_generic_account_groups.toml (82:89, 8%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (132:142, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:90, 9%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:72, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (22:29, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (66:74, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (110:120, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_security_software_wmic.toml (45:53, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (96:105, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (146:155, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (140:150, 6%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/linux/defense_evasion_acl_modification_via_setfacl.toml (85:94, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (61:70, 11%) 8 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (98:108, 8%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml (105:114, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (106:115, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (75:82, 6%) - rules_building_block/discovery_security_software_wmic.toml (57:64, 9%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (81:89, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:44, 8%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (84:93, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:135, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (70:77, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (60:67, 10%) - rules_building_block/discovery_security_software_wmic.toml (57:64, 9%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (106:115, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (103:112, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (75:82, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (81:88, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (134:144, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/ml/ml_rare_destination_country.toml (50:57, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_timestomp_sysmon.toml (89:98, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (111:120, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (95:103, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml (80:89, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (105:113, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (99:109, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (154:163, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (87:96, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (110:119, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:61, 13%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (91:100, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (83:92, 8%) 8 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (308:317, 2%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (101:110, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (81:89, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:52, 7%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (137:144, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (113:123, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (118:127, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (87:94, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:57, 6%) 8 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (106:114, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (82:89, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (124:131, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (35:42, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (109:119, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (105:114, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (134:144, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (76:83, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml (82:91, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (72:80, 11%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (96:105, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:132, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (84:91, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:121, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (97:105, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_sqs_purge_queue.toml (131:140, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (76:83, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (149:159, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (120:130, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (116:126, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_activity.toml (40:47, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (72:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (85:94, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (99:109, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (85:94, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (55:62, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/defense_evasion_kill_command_executed.toml (132:140, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (109:116, 6%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:136, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (85:94, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (68:75, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (63:70, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/execution_suspicious_mkfifo_execution.toml (72:80, 9%) - rules_building_block/persistence_web_server_sus_file_creation.toml (109:116, 6%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml (80:89, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (104:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (84:91, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (90:99, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (108:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (85:95, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:101, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:92, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (112:121, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (107:116, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:107, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:90, 9%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml (81:90, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (90:99, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (107:116, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (82:91, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (88:97, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (72:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:32, 13%) 8 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (122:131, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (94:103, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/ml/ml_low_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (96:105, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (80:89, 8%) 8 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (100:108, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:92, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (51:58, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (260:270, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:101, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (37:44, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (61:68, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (107:116, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (88:97, 9%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (49:58, 15%) 8 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (91:99, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (125:134, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (118:125, 7%) - rules_building_block/discovery_posh_generic.toml (244:251, 2%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (41:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (89:98, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (93:100, 8%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (49:56, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (143:152, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (83:92, 8%) 8 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (112:122, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (139:149, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (54:61, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (120:127, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:126, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml (80:89, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (67:74, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:92, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (128:138, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (67:77, 11%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (111:120, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:86, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:96, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/ml/ml_high_count_events_for_a_host_name.toml (41:48, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml (88:97, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (112:120, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml (84:93, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (51:58, 7%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (78:87, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (171:181, 5%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (106:115, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (44:51, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (127:136, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/ml_packetbeat_rare_server_domain.toml (48:55, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:98, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (78:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (90:97, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (97:104, 7%) 8 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (116:126, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (111:121, 7%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (89:96, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:126, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:96, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:173, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (53:60, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (137:146, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (82:89, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/credential_access_kerberoasting_unusual_process.toml (71:78, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:194, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (98:107, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (75:84, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (166:173, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (51:58, 12%) 8 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (78:87, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (40:47, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:87, 10%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:77, 10%) 8 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (49:56, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (96:105, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (133:140, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (53:60, 13%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:52, 7%) 8 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (69:76, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml (72:81, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (83:92, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (163:172, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (57:66, 13%) 8 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (127:135, 6%) - rules_building_block/discovery_posh_generic.toml (274:281, 2%) 8 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:155, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (41:50, 9%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:44, 8%) 8 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (68:78, 9%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (88:97, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:51, 13%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:101, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (96:105, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (49:58, 10%) 8 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (98:107, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (88:97, 5%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:129, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (101:110, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (77:86, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (140:149, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:79, 11%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (100:109, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (118:126, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (134:143, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:91, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (36:43, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml (90:99, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (100:109, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (85:92, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml (41:50, 18%) - rules_building_block/collection_common_compressed_archived_file.toml (123:132, 6%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml (71:80, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml (112:120, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (49:58, 15%) 8 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (66:73, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (67:74, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (82:89, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (110:120, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (113:122, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:59, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:176, 4%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:183, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:52, 11%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (77:84, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:44, 15%) 8 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (85:94, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (85:94, 5%) 8 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (72:79, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (141:151, 6%) - rules_building_block/lateral_movement_at.toml (70:80, 11%) 8 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (92:101, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:44, 15%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (46:53, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (49:56, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:121, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (183:190, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (51:58, 12%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (84:91, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (92:101, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:58, 11%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (83:92, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:52, 7%) 8 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (43:50, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (45:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (154:163, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/_deprecated/persistence_kernel_module_activity.toml (33:42, 17%) - rules_building_block/persistence_startup_folder_lnk.toml (46:55, 12%) 8 duplicated lines in: - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml (83:92, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:80, 8%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (75:82, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml (82:92, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/ml_high_count_network_denies.toml (47:54, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (183:193, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (181:191, 4%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (108:118, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:107, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (93:100, 8%) 8 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (260:270, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (122:131, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (72:79, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:94, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:64, 13%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (116:126, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (57:67, 11%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml (45:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (45:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (88:97, 9%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (90:99, 8%) 8 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (177:186, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml (74:84, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (73:80, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (50:58, 13%) - rules_building_block/defense_evasion_masquerading_browsers.toml (194:203, 4%) 8 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (108:116, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (65:73, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (200:207, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (81:88, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (137:144, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (134:141, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:107, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:61, 13%) 8 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (143:152, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (48:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (110:117, 7%) - rules_building_block/collection_outlook_email_archive.toml (55:62, 12%) 8 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml (104:113, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (83:92, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (61:68, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:128, 5%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (112:121, 7%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (70:79, 10%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (181:191, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (52:62, 14%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (73:80, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (39:46, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (42:49, 11%) 8 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (127:136, 6%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:132, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (76:85, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (44:53, 15%) 8 duplicated lines in: - rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml (40:49, 19%) - rules_building_block/collection_common_compressed_archived_file.toml (123:132, 6%) 8 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (89:98, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (153:160, 5%) - rules_building_block/discovery_posh_generic.toml (296:303, 2%) 8 duplicated lines in: - rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml (79:88, 9%) - rules_building_block/credential_access_win_private_key_access.toml (72:81, 9%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:70, 10%) 8 duplicated lines in: - rules/windows/discovery_admin_recon.toml (49:57, 7%) - rules_building_block/discovery_net_view.toml (36:44, 8%) 8 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (43:50, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (79:86, 7%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (134:141, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (179:189, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (112:122, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (95:105, 8%) 8 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (78:85, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (95:102, 8%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (63:71, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (31:39, 11%) 8 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (78:87, 10%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:43, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:132, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:114, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:79, 8%) 8 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (147:155, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (109:116, 6%) 8 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (143:152, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:46, 16%) 8 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (83:92, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (214:222, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (42:49, 16%) 8 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (85:94, 9%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:90, 8%) 8 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (105:113, 7%) - rules_building_block/discovery_win_network_connections.toml (60:69, 12%) 8 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (92:100, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:125, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:90, 9%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:57, 13%) 8 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (84:93, 9%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:60, 12%) 8 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:128, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:51, 14%) 8 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (101:111, 7%) - rules_building_block/discovery_net_view.toml (89:99, 8%) 8 duplicated lines in: - rules/ml/credential_access_ml_suspicious_login_activity.toml (41:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (89:98, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:49, 15%) 8 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (106:115, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (52:61, 13%) 8 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (44:51, 5%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (144:154, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (106:116, 7%) 8 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (79:86, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (38:45, 11%) 8 duplicated lines in: - rules/ml/ml_linux_anomalous_network_port_activity.toml (39:46, 8%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 8 duplicated lines in: - rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml (44:52, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:44, 8%) 8 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (90:99, 9%) - rules_building_block/discovery_posh_generic.toml (284:293, 2%) 8 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (68:75, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (34:45, 15%) - rules_building_block/discovery_capnetraw_capability.toml (67:78, 10%) 8 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:92, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:58, 13%) 8 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (145:152, 5%) - rules_building_block/discovery_posh_generic.toml (296:303, 2%) 8 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (78:85, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:110, 5%) 8 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:98, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:55, 13%) 8 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (93:102, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:59, 10%) 8 duplicated lines in: - rules/ml/ml_high_count_network_events.toml (46:53, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/windows/privilege_escalation_rogue_windir_environment_var.toml (96:105, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (81:90, 8%) 8 duplicated lines in: - rules/integrations/github/persistence_organization_owner_role_granted.toml (68:77, 11%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:42, 17%) 8 duplicated lines in: - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml (44:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (36:43, 6%) 8 duplicated lines in: - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml (44:51, 6%) - rules_building_block/discovery_capnetraw_capability.toml (38:45, 10%) 7 duplicated lines in: - rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml (22:28, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (160:168, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (67:75, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (105:111, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (110:119, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (63:72, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (135:141, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (127:133, 4%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (68:74, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (83:91, 8%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (42:50, 10%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (130:136, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (98:106, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (300:308, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (136:142, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (98:106, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (117:125, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml (109:117, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (161:167, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (144:150, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (63:69, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (144:150, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (61:67, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:131, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (80:88, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:138, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_services_registry.toml (124:130, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (157:163, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:124, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (24:30, 11%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (51:57, 9%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml (102:110, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (75:81, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (37:43, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (90:98, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (104:110, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:156, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (100:106, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (99:107, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (66:72, 6%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:106, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (114:120, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (64:70, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (166:172, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudtrail_logging_updated.toml (15:21, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (161:167, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:155, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:137, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (93:99, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (85:91, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (91:99, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:110, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/persistence_ad_adminsdholder.toml (81:87, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (153:159, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (83:90, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (132:140, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (72:78, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:36, 12%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml (102:110, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (72:78, 9%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (152:158, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (100:106, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:203, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:26, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (81:89, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (141:147, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (170:176, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (99:105, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (101:107, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (101:107, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (171:177, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (120:126, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:126, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (123:129, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:344, 2%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:203, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (80:88, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_file_deletion_via_shred.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (46:52, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (57:63, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (34:40, 9%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:34, 18%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (149:155, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (105:113, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (66:72, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (101:107, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (115:123, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (84:90, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (68:74, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:118, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (127:133, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:119, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (56:63, 8%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (102:108, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:67, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (22:28, 13%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (138:144, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:68, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:28, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:127, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:97, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (119:125, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:169, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (92:98, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (33:42, 7%) - rules_building_block/discovery_security_software_wmic.toml (41:50, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:114, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (79:87, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:32, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (83:91, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (166:172, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml (92:98, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (101:109, 6%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:61, 8%) - rules_building_block/discovery_capnetraw_capability.toml (51:57, 9%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (145:151, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:181, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:169, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (104:112, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/persistence_via_bits_job_notify_command.toml (97:105, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (70:78, 8%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (115:121, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_export.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (104:110, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (101:107, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (95:101, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:125, 4%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (111:119, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (60:68, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (146:152, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (97:103, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (108:114, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (197:203, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:54, 5%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:86, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (91:98, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (111:117, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (193:199, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (102:111, 6%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (124:132, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:92, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (119:125, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_gpo_schtask_service_creation.toml (108:114, 6%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (97:104, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (170:176, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (86:94, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (90:97, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (61:69, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_updated.toml (91:97, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml (86:92, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (42:48, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (103:109, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:156, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (125:131, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (188:194, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:174, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:139, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (146:152, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (131:137, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (118:126, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (100:108, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (184:192, 3%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (82:90, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (215:223, 3%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (58:65, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (84:92, 8%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (19:25, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (134:140, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (40:49, 6%) - rules_building_block/discovery_security_software_wmic.toml (34:43, 7%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (97:103, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:123, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:102, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (144:150, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:149, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (170:176, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (122:130, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (86:93, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (177:183, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (178:186, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (88:96, 7%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (105:111, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (105:112, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (145:151, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (143:149, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (82:90, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (55:62, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_dump_registry_hives.toml (93:101, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:153, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (49:56, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (15:21, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml (81:89, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (61:69, 9%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (98:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:31, 14%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (162:168, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:80, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (123:129, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (121:127, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (84:90, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/impact_backup_file_deletion.toml (63:70, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:103, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (64:70, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (106:112, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (83:89, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:101, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:25, 9%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:27, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (66:72, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (130:136, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (174:182, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:25, 10%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:27, 13%) 7 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (61:67, 7%) - rules_building_block/credential_access_win_private_key_access.toml (25:31, 8%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml (84:92, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (116:124, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (104:110, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (94:101, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (105:111, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (89:95, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (157:163, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (130:136, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (100:106, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:144, 4%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (40:49, 6%) - rules_building_block/discovery_net_view.toml (25:34, 7%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (114:122, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (128:134, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (81:88, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (18:24, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (72:78, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:133, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (112:118, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:125, 4%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (138:146, 5%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (47:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:133, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (114:120, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (74:82, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:108, 7%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:48, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (167:173, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml (81:89, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (62:69, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/command_and_control_linux_proxychains_activity.toml (101:108, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (146:152, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:131, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (92:100, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml (71:79, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (141:147, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (83:91, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (100:107, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:156, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (70:76, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (117:123, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:203, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (84:90, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:162, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:344, 2%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (159:165, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml (103:109, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (110:116, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (170:176, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (153:160, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:36, 11%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (121:127, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (134:140, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (60:67, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (57:63, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (120:126, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:135, 5%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (34:43, 6%) - rules_building_block/discovery_security_software_wmic.toml (34:43, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_run_virt_windowssandbox.toml (31:37, 10%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (132:139, 4%) - rules_building_block/discovery_posh_generic.toml (49:56, 2%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (98:106, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (121:127, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml (117:123, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (115:121, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:93, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (66:73, 7%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (84:91, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:129, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (101:107, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (55:62, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml (117:123, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (123:129, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (96:102, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (72:79, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (92:98, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (103:109, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (180:186, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (75:83, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (129:135, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (305:313, 2%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (88:96, 7%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (34:40, 15%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (159:165, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (108:114, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (131:139, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (94:102, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (138:144, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (170:176, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (153:159, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (116:122, 5%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (138:144, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (93:101, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (99:105, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (180:186, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (170:176, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/network/command_and_control_cobalt_strike_beacon.toml (80:88, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:86, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (96:102, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (116:124, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (109:115, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (98:104, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/linux/credential_access_gdb_init_process_hooking.toml (104:112, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (92:98, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml (81:89, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml (41:47, 14%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:112, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:28, 7%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (100:106, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:138, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (88:94, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:72, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:61, 7%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (122:130, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml (81:89, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:53, 12%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:110, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (146:152, 4%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/_deprecated/command_and_control_smtp_to_the_internet.toml (57:63, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:105, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (88:94, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (76:82, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:31, 11%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (106:112, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (128:134, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (36:42, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:31, 11%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (98:106, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (109:117, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (112:121, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (41:50, 13%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (124:133, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (72:81, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (111:117, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (92:100, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (84:92, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (113:120, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (105:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml (20:26, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:92, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (250:256, 2%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (88:94, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:169, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/command_and_control_linux_chisel_client_activity.toml (93:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (78:86, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (99:105, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (112:120, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:54, 12%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (181:189, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (125:131, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (130:136, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:94, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (89:97, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/execution_initial_access_foxmail_exploit.toml (99:105, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:25, 9%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/_deprecated/command_and_control_smtp_to_the_internet.toml (57:63, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:92, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (127:133, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (88:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:109, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (107:115, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (99:105, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (116:122, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (74:80, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_rds_instance_restored.toml (86:92, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (50:56, 11%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (85:91, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (138:144, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (120:126, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (192:200, 3%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (93:99, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml (74:82, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (85:93, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:101, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (161:167, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (84:91, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (146:152, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:94, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (89:95, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:125, 4%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml (101:110, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (82:88, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (123:131, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml (78:87, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (89:97, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:89, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (126:132, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (88:94, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (87:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:161, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:49, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (28:35, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (93:99, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:113, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:43, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (63:69, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (112:119, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (143:149, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:110, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (126:132, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (120:127, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:120, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml (101:107, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (174:180, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (85:92, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:135, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (160:169, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (127:133, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:101, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (46:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml (79:85, 9%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:176, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (121:127, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml (53:60, 8%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (227:235, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (107:115, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:144, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (177:183, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml (109:117, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (245:253, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:123, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (83:91, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml (26:35, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (148:154, 4%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml (22:29, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudtrail_logging_updated.toml (15:21, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (134:140, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (92:100, 5%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:108, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:203, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (19:25, 5%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (146:152, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml (85:93, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:176, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (123:129, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:129, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (152:158, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (93:101, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (97:105, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (95:103, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (166:172, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (113:121, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (125:131, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:151, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (118:124, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (138:144, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (110:118, 5%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (61:67, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (135:141, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (108:114, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:120, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (65:71, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:37, 11%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (145:151, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (82:90, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (70:76, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:122, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (126:132, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml (104:112, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (92:100, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:102, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (123:131, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (89:97, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (122:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (111:119, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml (81:88, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (89:95, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:152, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:122, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (115:121, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (110:116, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (48:54, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_creation.toml (80:89, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:101, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (110:116, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (97:103, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:149, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:138, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (85:91, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (136:142, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (126:132, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (67:73, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (94:102, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (73:81, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (56:63, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (81:87, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (114:122, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (170:176, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (93:101, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (137:143, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:144, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (136:142, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:97, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (57:63, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (65:71, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:124, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/credential_access_proc_credential_dumping.toml (107:115, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (52:58, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (84:90, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml (61:67, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (84:90, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (89:96, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:149, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (139:145, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (42:48, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (96:104, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (115:121, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (54:61, 8%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml (103:109, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (116:123, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (109:115, 3%) - rules_building_block/discovery_net_view.toml (57:63, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:203, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (15:21, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml (123:129, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (132:138, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (92:100, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (102:108, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:31, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (22:28, 13%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (117:123, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml (30:38, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (122:128, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (41:47, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:156, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (105:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:125, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:124, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (78:86, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:178, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:147, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (131:139, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (68:74, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:32, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (127:133, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:127, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (98:106, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (103:109, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml (81:87, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (116:124, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (245:253, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:128, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml (77:85, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:127, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (91:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:95, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (68:74, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (152:160, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:72, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (144:150, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (181:187, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (56:63, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:91, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (111:119, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (38:46, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:144, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:97, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:176, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (102:110, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (131:139, 5%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml (19:25, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (90:96, 6%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (44:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:54, 5%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (57:64, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (135:141, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (88:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (51:58, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:65, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:61, 7%) 7 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (55:62, 8%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:115, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (103:109, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/persistence_services_registry.toml (124:130, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (77:83, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (193:199, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (35:41, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:130, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:102, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (81:89, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (118:124, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (185:193, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (115:121, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (106:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (72:79, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:45, 10%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (86:92, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (99:107, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (43:49, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (127:133, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (98:104, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (136:142, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (148:157, 4%) - rules_building_block/collection_posh_compression.toml (80:89, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:32, 8%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (61:69, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (124:132, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:198, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:109, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:141, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (98:106, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (137:143, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_code_injection_conhost.toml (94:102, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml (18:24, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (107:113, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (115:121, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:68, 8%) - rules_building_block/discovery_capnetraw_capability.toml (51:57, 9%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (122:130, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:128, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (111:117, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:28, 9%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (85:93, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (159:165, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (125:134, 6%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml (92:100, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (50:58, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (59:65, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (28:34, 9%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:159, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (19:25, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (110:118, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:178, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (111:117, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (140:146, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/windows/discovery_high_number_ad_properties.toml (83:91, 8%) - rules_building_block/discovery_generic_account_groups.toml (62:70, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (105:111, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (130:136, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:130, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (97:103, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:141, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_sysmon_wmi_event_subscription.toml (85:91, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (81:87, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (181:187, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:93, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (130:136, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (91:97, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (123:129, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (84:90, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (108:114, 5%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (108:114, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (105:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (90:96, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml (103:111, 7%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (74:81, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (118:126, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (110:116, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:122, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (106:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (91:99, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (172:178, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (95:102, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_indirect_exec_forfiles.toml (57:63, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (113:121, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (41:47, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:125, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (166:172, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (118:124, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (166:172, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (93:99, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (138:144, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (37:44, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (110:116, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (120:126, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (44:51, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_initial_access_wps_dll_exploit.toml (97:103, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:125, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (97:103, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml (73:81, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (110:118, 6%) - rules_building_block/discovery_security_software_wmic.toml (75:83, 7%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:107, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (42:48, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (95:101, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (81:87, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (160:166, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_process_execution.toml (25:34, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:101, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:93, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (120:126, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (146:154, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (131:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (97:103, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (91:99, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (88:94, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (178:186, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (164:172, 3%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (112:118, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/impact_esxi_process_kill.toml (56:63, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (142:148, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:110, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml (60:66, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (126:132, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml (96:104, 6%) - rules_building_block/collection_outlook_email_archive.toml (50:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml (116:122, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:119, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:130, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (91:99, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (148:154, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (61:67, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:32, 10%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (122:128, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_powershell_module.toml (112:120, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (98:104, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (85:93, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (96:104, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (67:73, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (92:98, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:96, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (105:111, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:161, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (123:131, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:135, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_install_root_certificate.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (106:112, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:169, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (62:69, 6%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:65, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (108:114, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (123:131, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:80, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (71:77, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:36, 12%) 7 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (101:107, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:127, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (55:61, 5%) - rules_building_block/discovery_net_view.toml (39:45, 7%) 7 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (110:116, 5%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (165:171, 4%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:39, 17%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (60:68, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (107:113, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (62:69, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (114:120, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml (64:70, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:109, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:31, 10%) 7 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (96:104, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (87:93, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:122, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (135:141, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (81:88, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (103:111, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (77:85, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:112, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml (103:109, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (45:51, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (100:107, 5%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (146:154, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (120:126, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (104:112, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (99:107, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (193:199, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_named_pipe_impersonation.toml (89:96, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (21:28, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (116:122, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (89:95, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (62:68, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml (88:94, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/_deprecated/discovery_whoami_commmand.toml (33:41, 17%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (142:148, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (77:85, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (142:148, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (78:86, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (88:94, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (114:120, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml (105:111, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:31, 14%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (55:61, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:149, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (159:165, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (111:119, 5%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (105:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (59:66, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (122:128, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/credential_access_credential_dumping.toml (106:114, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (114:120, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (93:101, 6%) - rules_building_block/discovery_of_domain_groups.toml (41:49, 14%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:176, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (105:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/aws/persistence_redshift_instance_creation.toml (83:92, 9%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (120:126, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (42:48, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:105, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (121:127, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (287:295, 2%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (107:115, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (66:72, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (103:109, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (142:148, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml (80:88, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (85:92, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (19:25, 5%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (77:84, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (92:100, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml (92:98, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:108, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (143:149, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (99:107, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (118:124, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (102:108, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_rc_script_creation.toml (71:77, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (77:84, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:45, 10%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (89:97, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (118:126, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (89:95, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (159:165, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (77:83, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:60, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_direct_outbound_smb_connection.toml (87:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (116:124, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (108:114, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (110:116, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (83:91, 8%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/macos/persistence_via_atom_init_file_modification.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (128:134, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (110:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (113:121, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (91:99, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:84, 7%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (42:48, 6%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (34:40, 15%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:34, 18%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (108:116, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (99:107, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:124, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (121:127, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (46:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:96, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (91:99, 7%) - rules_building_block/execution_wmi_wbemtest.toml (44:52, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (90:98, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:238, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (82:90, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:144, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (106:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:81, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (153:159, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (124:133, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (63:72, 6%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:129, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (97:105, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (246:254, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (126:132, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:28, 11%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (64:70, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:127, 4%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (143:149, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (110:116, 3%) - rules_building_block/discovery_security_software_wmic.toml (56:62, 7%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (138:144, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (150:158, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:115, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (106:114, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (66:72, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (93:99, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (115:121, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:130, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (116:122, 6%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:155, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (122:130, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (96:105, 6%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (98:104, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (73:79, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (110:118, 6%) - rules_building_block/discovery_security_software_wmic.toml (75:83, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/discovery_posh_password_policy.toml (38:44, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_ssh_x11_forwarding.toml (95:102, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (92:98, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_run_virt_windowssandbox.toml (31:37, 10%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (93:101, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (88:94, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (122:128, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (92:98, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:105, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_initial_access_foxmail_exploit.toml (99:105, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (128:136, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (98:104, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (46:52, 6%) - rules_building_block/discovery_capnetraw_capability.toml (49:55, 9%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (92:100, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (44:51, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (87:93, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:106, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (116:124, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:203, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:94, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (88:95, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (132:138, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (34:40, 15%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_script_via_html_app.toml (112:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml (85:93, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (177:183, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (92:100, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (138:144, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (122:128, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (86:94, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:81, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:100, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (95:101, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (115:121, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:113, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (18:24, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:128, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:80, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:61, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (61:69, 9%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (130:136, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (106:112, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml (113:119, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_initial_access_foxmail_exploit.toml (99:105, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:96, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/collection_posh_compression.toml (38:44, 5%) 7 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (13:19, 6%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (15:21, 9%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (16:22, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (113:119, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (135:141, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (120:127, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (84:90, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (64:70, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (98:106, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (193:199, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (133:139, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml (79:87, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (20:26, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (125:133, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (47:53, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (116:122, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (102:108, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (110:116, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (98:106, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (93:100, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:128, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (67:73, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (127:135, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (95:103, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:118, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (126:132, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_browser_extension_install.toml (61:67, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (132:140, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:74, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml (77:85, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (99:107, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (46:52, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/azure/collection_update_event_hub_auth_rule.toml (87:93, 8%) - rules_building_block/collection_posh_compression.toml (126:132, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (99:105, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:103, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:144, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vaultcmd.toml (92:100, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (8:16, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (120:126, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:105, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (64:71, 6%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (166:172, 4%) - rules_building_block/collection_posh_compression.toml (126:132, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (98:104, 7%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (90:96, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (84:90, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:133, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (123:129, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml (117:123, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (84:91, 6%) - rules_building_block/discovery_posh_generic.toml (49:56, 2%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (99:105, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:203, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (135:141, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (108:114, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (131:139, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:134, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (236:242, 3%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:119, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:205, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:151, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (126:132, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_linux_process_started_in_temp_directory.toml (38:47, 16%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (139:145, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (145:151, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (104:110, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (61:69, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:113, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:218, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (127:133, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (130:136, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (98:104, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (33:42, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:49, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (96:104, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (60:67, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml (73:79, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (79:86, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (109:115, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (131:137, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml (138:144, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:153, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (118:126, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (160:166, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (74:80, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (136:142, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:119, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (116:122, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (81:87, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml (20:26, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:68, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (22:28, 8%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (115:121, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (121:127, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/execution_initial_access_suspicious_browser_childproc.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:155, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (104:110, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (112:120, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (92:100, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:108, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (101:107, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (88:94, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (190:196, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_creation.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (177:183, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (101:107, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:62, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (69:75, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml (100:108, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:93, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:127, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (42:48, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:248, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (97:103, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:144, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (92:98, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (123:129, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (101:109, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml (20:26, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (61:67, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (98:104, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:119, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (146:152, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml (81:89, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (67:73, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (122:128, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_powershell.toml (163:169, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (44:50, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (83:89, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (100:106, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (115:121, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (89:96, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/persistence_screensaver_plist_file_modification.toml (31:40, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (216:222, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml (60:66, 10%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:86, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (119:125, 5%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:162, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (82:88, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:95, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (142:148, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (150:156, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (136:144, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (117:123, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (88:94, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (86:94, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:161, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (66:72, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (117:125, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (58:65, 8%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:125, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/credential_access_lsass_openprocess_api.toml (91:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (120:126, 4%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (84:90, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:97, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (75:81, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:144, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (59:66, 5%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (130:136, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml (123:129, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (45:51, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (123:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (105:111, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (45:51, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (81:87, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/credential_access_gdb_process_hooking.toml (85:93, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml (107:113, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (115:121, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:84, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/credential_access_lsass_handle_via_malseclogon.toml (85:93, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (17:23, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (123:129, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (83:91, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (88:96, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (64:70, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (84:92, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (50:58, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (109:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (102:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (117:123, 6%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (91:99, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (58:64, 8%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (130:136, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (130:136, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (90:97, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (97:103, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (109:117, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/initial_access_webshell_screenconnect_server.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (75:83, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (115:121, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (64:70, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (109:115, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (338:344, 2%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (136:144, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (147:153, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (120:126, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (121:128, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml (93:101, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (146:152, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (102:110, 5%) - rules_building_block/discovery_internet_capabilities.toml (39:47, 12%) 7 duplicated lines in: - rules/windows/execution_initial_access_wps_dll_exploit.toml (97:103, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (329:335, 2%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:62, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (49:55, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (47:53, 5%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (112:118, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:62, 7%) - rules_building_block/discovery_posh_password_policy.toml (39:45, 6%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (87:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (83:91, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:138, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_suppression_rule_created.toml (79:87, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (40:48, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (59:65, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (20:29, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_msbuild_making_network_connections.toml (144:152, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:68, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (28:34, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml (37:43, 10%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:36, 12%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (51:58, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (24:30, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_net_view.toml (32:41, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:123, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/command_and_control_outlook_home_page.toml (97:103, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_group_creation.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (43:49, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (122:130, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (87:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml (84:90, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (38:44, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (114:120, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (33:42, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (32:41, 7%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (103:112, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (128:134, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (110:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml (81:87, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (66:72, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml (15:21, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_apple_softupdates_modification.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (120:126, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (92:98, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (305:313, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (164:172, 3%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml (92:98, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/command_and_control_port_forwarding_added_registry.toml (105:111, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:130, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (37:43, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (92:98, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (75:83, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (87:95, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (44:51, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (81:89, 8%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (60:68, 9%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (73:79, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (64:71, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (28:35, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (148:154, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml (19:25, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (42:48, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (108:114, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (148:154, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (87:93, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (42:48, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (95:101, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:151, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:120, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (180:186, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (141:149, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_chkconfig_service_add.toml (88:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (143:149, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (123:129, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (61:67, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (22:28, 7%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:122, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (83:90, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:45, 10%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (146:152, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (109:115, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (73:81, 8%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (138:144, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:129, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (55:63, 11%) 7 duplicated lines in: - rules/windows/execution_initial_access_via_msc_file.toml (89:95, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:107, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (93:99, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (22:31, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:128, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_gpo_schtask_service_creation.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:105, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml (18:24, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (69:76, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:176, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (150:156, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:136, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml (156:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (77:84, 6%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (77:83, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_powershell_susp_args_via_winscript.toml (80:86, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml (105:112, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_windows_cmd_shell_susp_args.toml (143:149, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (197:203, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (131:137, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:198, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (91:99, 7%) - rules_building_block/discovery_hosts_file_access.toml (40:48, 14%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (135:141, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_export.toml (15:21, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (193:199, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (86:93, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (128:134, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (85:93, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (199:205, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (46:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (190:196, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml (103:109, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml (110:116, 5%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (112:118, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (122:128, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (73:79, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:89, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml (95:101, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml (99:106, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:112, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:29, 3%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (108:114, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:101, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (122:128, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (115:123, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (131:137, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/network/discovery_potential_network_sweep_detected.toml (89:97, 7%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (100:108, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (98:104, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (122:130, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (161:169, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (216:222, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml (105:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:155, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml (102:110, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:92, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (138:144, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:125, 4%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (63:69, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (159:165, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (93:101, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (119:125, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (100:108, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (123:129, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:152, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (136:142, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:148, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (64:70, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:161, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (233:241, 3%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (102:109, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:52, 10%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/credential_access_promt_for_pwd_via_osascript.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:109, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:122, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (105:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:164, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/credential_access_dumping_keychain_security.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (114:120, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (107:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (62:68, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (117:124, 4%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml (81:89, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/macos/credential_access_potential_macos_ssh_bruteforce.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (95:101, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (106:112, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:265, 2%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (112:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (170:176, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (64:70, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_clear_kernel_ring_buffer.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (131:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (89:97, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (65:71, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (80:86, 7%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (86:92, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (159:167, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (128:134, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (127:133, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (81:89, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:107, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (21:28, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml (104:112, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (109:117, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:82, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (134:140, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (107:115, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml (66:74, 11%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (82:90, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (88:94, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (116:122, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (44:52, 13%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (161:167, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (112:120, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:116, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (176:182, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (121:129, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml (102:110, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (113:119, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/execution_initial_access_wps_dll_exploit.toml (97:103, 7%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (175:181, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (52:60, 11%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (123:130, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_krbrelayup_service_creation.toml (104:110, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (116:122, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:94, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (83:90, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (95:101, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:111, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/initial_access_exploit_jetbrains_teamcity.toml (123:129, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (102:110, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (126:132, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:99, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:198, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (114:122, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (107:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (131:137, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml (91:97, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (17:23, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:119, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (81:88, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:45, 10%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (132:140, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:61, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (85:93, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_rds_instance_restored.toml (32:38, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:38, 11%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:174, 4%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (84:90, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (118:124, 6%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (62:68, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (22:28, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (128:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (108:114, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (166:172, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (130:136, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (104:110, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:145, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (171:177, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (134:140, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:134, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (108:114, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (118:124, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:123, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (62:68, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (28:34, 8%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/persistence_linux_backdoor_user_creation.toml (19:27, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (96:102, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:54, 12%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (159:165, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (115:121, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml (92:98, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:103, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (138:144, 4%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (92:100, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (91:97, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (129:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml (15:21, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (133:139, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (96:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/integrations/aws/collection_cloudtrail_logging_created.toml (15:21, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml (18:24, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (64:70, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (80:87, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml (53:60, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (47:53, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/discovery_posh_generic.toml (38:44, 2%) 7 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (25:34, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (103:109, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (106:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (26:33, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (136:144, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (24:33, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml (95:101, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (108:114, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml (76:84, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (99:105, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (33:42, 7%) - rules_building_block/discovery_net_view.toml (32:41, 7%) 7 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (66:72, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:54, 5%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (116:122, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (55:62, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (101:107, 6%) - rules_building_block/collection_posh_compression.toml (126:132, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (183:189, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (183:189, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (131:138, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (137:143, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:149, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (87:95, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (125:131, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/_deprecated/execution_crash_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (101:109, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (164:172, 4%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (157:163, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (109:117, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml (81:89, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (82:90, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:267, 2%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (33:42, 8%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (34:43, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (25:34, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (89:97, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (81:89, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (157:163, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (129:135, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_hide_encoded_executable_registry.toml (62:68, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (98:104, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (65:73, 8%) - rules_building_block/persistence_startup_folder_lnk.toml (46:54, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (131:137, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (123:131, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (49:57, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (159:165, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (83:89, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (115:121, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_mod_wdigest_security_provider.toml (77:84, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml (85:93, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (28:37, 15%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml (22:28, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (99:105, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (66:73, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (146:152, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/cross-platform/persistence_shell_profile_modification.toml (90:96, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (163:171, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (140:148, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:94, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (249:255, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (63:69, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml (92:98, 7%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (86:94, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (90:97, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:134, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (82:90, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (89:95, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (46:52, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (47:53, 9%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_windows_powershell_susp_args.toml (145:151, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:156, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (85:92, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (160:166, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (91:97, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/network/command_and_control_halfbaked_beacon.toml (78:86, 8%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (117:123, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (118:124, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (249:255, 3%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:107, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (83:89, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (81:87, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (87:95, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (103:109, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml (117:123, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (45:51, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_kthreadd_masquerading.toml (108:114, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (24:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (153:159, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (24:31, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:98, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (99:105, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/_deprecated/execution_gcc_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:108, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (47:53, 5%) - rules_building_block/discovery_capnetraw_capability.toml (49:55, 9%) 7 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:178, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (98:104, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (92:100, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (86:92, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/integrations/azure/collection_update_event_hub_auth_rule.toml (87:93, 8%) - rules_building_block/collection_common_compressed_archived_file.toml (100:106, 5%) 7 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (98:106, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:147, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:120, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:119, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (150:156, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (73:79, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (46:52, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (125:131, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (110:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (63:69, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (172:178, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (142:148, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_from_tsclient_mup.toml (89:97, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:111, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (89:95, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (117:123, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (34:43, 5%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (83:89, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:127, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:162, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (123:129, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/initial_access_xsl_script_execution_via_com.toml (83:89, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml (58:65, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (122:130, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (95:101, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (128:135, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (142:148, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (120:126, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml (77:84, 9%) - rules_building_block/credential_access_win_private_key_access.toml (72:80, 8%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (110:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (72:81, 6%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:236, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (85:91, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:176, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (113:119, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (106:112, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (138:144, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml (117:123, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (71:77, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (114:120, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (132:138, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (166:172, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/network/command_and_control_port_26_activity.toml (78:84, 9%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml (178:184, 4%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (190:196, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (51:57, 5%) - rules_building_block/discovery_net_view.toml (39:45, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (89:95, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:109, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (121:127, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (87:93, 8%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (137:143, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (60:67, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (131:137, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (106:112, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (70:78, 7%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (65:73, 8%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (120:126, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:36, 12%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (159:165, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (53:60, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (96:102, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (94:102, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (110:116, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_filesystem.toml (61:67, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (120:126, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:176, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/linux/privilege_escalation_pkexec_envar_hijack.toml (109:115, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (111:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:144, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (63:71, 9%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/execution_file_execution_followed_by_deletion.toml (109:117, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (77:83, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:92, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:162, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/execution_egress_connection_from_entrypoint_in_container.toml (83:91, 7%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml (105:111, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:144, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (26:35, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (105:112, 4%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (121:127, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (99:107, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (49:57, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (60:67, 6%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (102:110, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (122:130, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (64:70, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml (18:24, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (61:67, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_dir_ads.toml (64:70, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:130, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (106:114, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/_deprecated/execution_mysql_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (78:86, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (116:122, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (83:91, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (329:335, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:108, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (75:83, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:155, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_werfault.toml (130:136, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (122:128, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:139, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml (147:153, 4%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (105:111, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (153:159, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (88:94, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:155, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (100:108, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:110, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (46:54, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml (85:93, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (101:109, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:42, 15%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:191, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (128:134, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (101:108, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:133, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (92:99, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_lolbas_win_cdb_utility.toml (91:99, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (81:89, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (39:47, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (122:130, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:218, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_trusted_directory.toml (114:120, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/credential_access_mimikatz_memssp_default_logs.toml (92:100, 7%) - rules_building_block/credential_access_mdmp_file_creation.toml (81:89, 7%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (101:107, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/macos/persistence_creation_change_launch_agents_file.toml (101:107, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (147:153, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:139, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (99:107, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:66, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:70, 5%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (112:118, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:119, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (72:78, 9%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (93:99, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (21:30, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (87:95, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:101, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (88:96, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (231:239, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (46:54, 11%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (97:103, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (108:116, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (86:93, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:123, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (121:129, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml (66:74, 11%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (109:117, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:118, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:134, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml (76:84, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_network_connection_from_windows_binary.toml (188:194, 3%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (148:154, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (146:152, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (102:108, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (25:34, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (79:85, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:32, 11%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (121:128, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (106:112, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml (102:109, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (44:50, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml (84:92, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_regback_sam_security_hives.toml (77:85, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (91:99, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:118, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (112:118, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (124:130, 5%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (17:26, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_safari_config_change.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (45:51, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (122:128, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (109:117, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_run_virt_windowssandbox.toml (31:37, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (104:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:109, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:34, 7%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml (82:90, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (149:155, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (136:142, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (103:111, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml (61:67, 10%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (93:99, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (77:84, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (80:86, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml (54:60, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/command_and_control_outlook_home_page.toml (97:103, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml (88:94, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:129, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:105, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (101:107, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (119:125, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (79:86, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:37, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:160, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:138, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:59, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/collection_email_powershell_exchange_mailbox.toml (125:131, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (108:114, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (141:149, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (251:259, 3%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (124:130, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (23:32, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (22:31, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:169, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (80:88, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:108, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml (71:79, 10%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (110:116, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:71, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (105:111, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml (84:90, 8%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (131:137, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:169, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (122:128, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (66:72, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/credential_access_systemkey_dumping.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml (100:108, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:151, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (98:104, 7%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:136, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml (68:74, 2%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:144, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:89, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (84:90, 8%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (102:108, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/macos/credential_access_credentials_keychains.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (124:130, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_timestomp_sysmon.toml (92:98, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (113:121, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/macos/persistence_account_creation_hide_at_logon.toml (99:105, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:121, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:161, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:57, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (59:65, 6%) - rules_building_block/lateral_movement_at.toml (28:34, 10%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (120:126, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml (106:112, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (34:43, 6%) - rules_building_block/discovery_net_view.toml (25:34, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:164, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (171:177, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (67:73, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_write_dac_access.toml (61:69, 9%) 7 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (109:117, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (66:72, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:88, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (131:137, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (73:79, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:88, 8%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (132:138, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (112:119, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (159:167, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (51:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (104:113, 7%) - rules_building_block/discovery_signal_unusual_user_host.toml (41:50, 13%) 7 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (121:129, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (59:66, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (82:90, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:143, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:90, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (92:98, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (136:142, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:123, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:106, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (102:108, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (102:108, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (96:103, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (88:96, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (90:97, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:113, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (105:111, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (101:107, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml (31:39, 16%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (46:54, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (132:138, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml (79:87, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (114:120, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/_deprecated/execution_reverse_shell_via_named_pipe.toml (57:63, 10%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (108:114, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (130:136, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (120:128, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:100, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:248, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:109, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:143, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (180:186, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (94:100, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml (106:112, 6%) - rules_building_block/lateral_movement_at.toml (55:61, 10%) 7 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (102:108, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (94:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (120:126, 4%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (81:89, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:106, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (20:29, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (172:178, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (90:98, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (35:43, 13%) 7 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (112:118, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml (81:89, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/lateral_movement_executable_tool_transfer_smb.toml (85:93, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:113, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (143:149, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:99, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (128:134, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/credential_access_wbadmin_ntds.toml (66:72, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:36, 12%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (110:116, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/_deprecated/execution_find_binary.toml (35:41, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/macos/persistence_crontab_creation.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (116:122, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_enabled_via_dism.toml (68:74, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/_deprecated/execution_env_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml (112:118, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (37:43, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (95:101, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:113, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_replication_rights.toml (123:131, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml (124:130, 5%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:123, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (126:134, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (102:108, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_reg_service_imagepath_mod.toml (147:153, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (159:165, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_local_user_added_to_admin.toml (102:108, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (59:65, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (23:29, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (114:120, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (58:65, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (83:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:171, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (115:123, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml (25:34, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml (15:21, 6%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (135:141, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (161:167, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (99:105, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:94, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:64, 11%) 7 duplicated lines in: - rules/windows/credential_access_dcsync_newterm_subjectuser.toml (123:129, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (42:50, 12%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (105:111, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:116, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (149:155, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (108:116, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (50:58, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:149, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:58, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (171:177, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:164, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (82:90, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 7 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (77:85, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml (82:90, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (127:133, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (45:51, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (8:16, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (16:24, 5%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:132, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (89:96, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (71:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (77:85, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (76:82, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (42:48, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (83:89, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml (97:103, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (97:103, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (101:107, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (109:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (183:189, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml (31:39, 17%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (38:46, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (127:133, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (65:71, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/network/command_and_control_port_26_activity.toml (78:84, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:134, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml (119:125, 6%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (104:110, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (231:239, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (37:45, 14%) 7 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (106:112, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (129:137, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (42:50, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:93, 7%) 7 duplicated lines in: - rules/macos/persistence_emond_rules_file_creation.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (88:94, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (177:183, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (95:103, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (13:19, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (14:20, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:107, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (59:66, 7%) - rules_building_block/discovery_posh_generic.toml (49:56, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (88:96, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (73:81, 7%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:119, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (237:243, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (73:79, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:37, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (16:22, 8%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (128:134, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:102, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/privilege_escalation_root_crontab_filemod.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/macos/privilege_escalation_user_added_to_admin_group.toml (104:110, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (150:156, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:105, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml (77:84, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/credential_access_saved_creds_vault_winlog.toml (85:93, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (116:122, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (119:125, 4%) 7 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:204, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (133:139, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (109:117, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (141:147, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_vi_binary.toml (33:39, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (101:107, 6%) - rules_building_block/discovery_net_view.toml (105:111, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (86:94, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (46:54, 8%) 7 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (110:116, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (141:147, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:85, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_message_of_the_day_execution.toml (73:79, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (101:109, 6%) - rules_building_block/discovery_hosts_file_access.toml (40:48, 14%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:90, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (105:111, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml (22:31, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (71:77, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:201, 3%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (108:114, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:103, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_posh_hacktool_authors.toml (118:124, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (21:30, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml (16:22, 9%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_proxy_execution_via_msdt.toml (66:72, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml (80:88, 9%) - rules_building_block/defense_evasion_file_permission_modification.toml (45:53, 12%) 7 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:91, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (140:146, 4%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (81:89, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (59:67, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (87:93, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (95:103, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (43:51, 10%) 7 duplicated lines in: - rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml (113:119, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:123, 5%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (86:92, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:137, 5%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/network/command_and_control_fin7_c2_behavior.toml (41:49, 12%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:151, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml (64:70, 9%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:176, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (90:96, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (18:24, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:126, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (154:160, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (142:148, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (83:91, 7%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (264:272, 2%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/_deprecated/execution_command_shell_started_by_powershell.toml (28:34, 18%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:158, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:70, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (118:124, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (119:125, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (115:121, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (80:88, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (116:122, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml (140:146, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml (105:111, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (119:127, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:106, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (32:41, 7%) 7 duplicated lines in: - rules/macos/execution_installer_package_spawned_network_event.toml (113:119, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (117:123, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:128, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:101, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:115, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (84:92, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml (82:90, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (33:41, 15%) 7 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (166:172, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (110:116, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (129:135, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml (59:65, 11%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (126:132, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/execution_python_tty_shell.toml (104:110, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/command_and_control_linux_chisel_server_activity.toml (93:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:31, 11%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:128, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:125, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (97:103, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:136, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:113, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (135:143, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:129, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:131, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (117:123, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/macos/persistence_periodic_tasks_file_mdofiy.toml (46:52, 7%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (124:130, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/persistence_enable_root_account.toml (98:104, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:44, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml (103:109, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (51:59, 11%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:211, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:104, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (77:83, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (103:109, 4%) 7 duplicated lines in: - rules/linux/execution_potentially_overly_permissive_container_creation.toml (102:108, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (125:131, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (141:147, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:35, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:25, 9%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (26:34, 15%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_registry_modification.toml (66:72, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:110, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (71:77, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/integrations/aws/collection_cloudtrail_logging_created.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (91:97, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:211, 3%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (15:21, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_authorized_keys_file_deletion.toml (103:111, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/network/discovery_potential_port_scan_detected.toml (84:92, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:99, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (122:128, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:112, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (161:167, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (105:111, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (128:134, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (138:144, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:140, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:95, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (106:112, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (102:108, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (88:94, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml (70:79, 9%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (196:202, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (119:125, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (89:96, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (83:89, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (43:49, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:51, 12%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (198:206, 3%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/macos/defense_evasion_modify_environment_launchctl.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/privilege_escalation_kworker_uid_elevation.toml (57:64, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (115:122, 5%) 7 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (107:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (88:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml (70:76, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:33, 6%) - rules_building_block/execution_wmi_wbemtest.toml (28:34, 13%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_table_created.toml (86:95, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (67:76, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:138, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (97:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:93, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/integrations/azure/discovery_blob_container_access_mod.toml (84:90, 8%) - rules_building_block/discovery_posh_generic.toml (290:296, 2%) 7 duplicated lines in: - rules/_deprecated/execution_expect_binary.toml (35:41, 15%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:96, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml (118:126, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (123:129, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (102:110, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/_deprecated/credential_access_tcpdump_activity.toml (45:51, 13%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:164, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (104:110, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml (21:30, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (63:70, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (158:164, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (115:121, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (84:90, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (85:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (121:129, 4%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (24:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml (113:119, 6%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (44:50, 2%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:56, 9%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (131:137, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (103:111, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (25:34, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (71:79, 8%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (41:49, 11%) 7 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (64:71, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_scripts.toml (135:141, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/macos/persistence_login_logout_hooks_defaults.toml (24:33, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:88, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (61:69, 10%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:125, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (114:120, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (48:56, 11%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (100:108, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (89:97, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:109, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/credential_access_manual_memory_dumping.toml (68:76, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (127:133, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:98, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:120, 6%) 7 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (81:89, 8%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (38:46, 12%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (106:112, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (69:76, 3%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (139:145, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:33, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (113:119, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (136:144, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (68:76, 9%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (87:95, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (50:58, 11%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml (109:115, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:46, 14%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (36:45, 5%) - rules_building_block/discovery_security_software_wmic.toml (41:50, 7%) 7 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (54:61, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (26:34, 15%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml (21:30, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (199:205, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (123:129, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (158:164, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (116:122, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:131, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/execution_tc_bpf_filter.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (104:110, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:127, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:55, 12%) 7 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (102:109, 5%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml (110:116, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:71, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:36, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:177, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (82:89, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:288, 2%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (22:31, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (123:129, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (25:33, 17%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (38:46, 12%) 7 duplicated lines in: - rules/_deprecated/execution_ssh_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:99, 7%) 7 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (93:100, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (130:136, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (24:33, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:66, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:61, 7%) 7 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (88:96, 6%) - rules_building_block/lateral_movement_at.toml (44:52, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:124, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (82:88, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml (83:91, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_memdump.toml (94:102, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (104:110, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:60, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml (84:92, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:73, 8%) 7 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (23:32, 6%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:107, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:176, 3%) 7 duplicated lines in: - rules/_deprecated/execution_c89_c99_binary.toml (35:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (89:96, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (83:89, 8%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/credential_access_suspicious_lsass_access_generic.toml (109:117, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (116:124, 6%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:119, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_microsoft_defender_tampering.toml (132:140, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:260, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:79, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/_deprecated/execution_apt_binary.toml (36:42, 15%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (98:104, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/linux/credential_access_aws_creds_search_inside_container.toml (102:110, 7%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (89:97, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (57:65, 10%) 7 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (101:107, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (49:56, 7%) - rules_building_block/discovery_net_view.toml (50:57, 7%) 7 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (140:146, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:121, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (139:148, 4%) - rules_building_block/execution_linux_segfault.toml (55:64, 13%) 7 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml (124:130, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:135, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:149, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml (101:107, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml (85:93, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (71:79, 7%) 7 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (16:22, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (86:94, 6%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (117:123, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (161:169, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (82:90, 8%) 7 duplicated lines in: - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml (21:30, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (25:35, 9%) 7 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (122:130, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:93, 7%) 7 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:162, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:77, 9%) 7 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (97:103, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:79, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_amsienable_key_mod.toml (105:113, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (46:54, 10%) 7 duplicated lines in: - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml (28:37, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/credential_access_iis_connectionstrings_dumping.toml (93:101, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (50:58, 9%) 7 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (134:140, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (101:107, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (129:135, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/_deprecated/execution_busybox_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (79:86, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:45, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (86:92, 8%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:113, 5%) 7 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (61:69, 10%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:84, 7%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml (19:25, 9%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (21:27, 11%) 7 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (76:84, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (34:42, 13%) 7 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (138:146, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/execution_remote_code_execution_via_postgresql.toml (110:118, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (159:165, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:198, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (130:138, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (49:57, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (116:122, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (115:121, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_user_logon.toml (128:134, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:50, 11%) 7 duplicated lines in: - rules/windows/initial_access_script_executing_powershell.toml (123:129, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/linux/execution_suspicious_mining_process_creation_events.toml (100:106, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (89:95, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (73:79, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (177:183, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:76, 9%) 7 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (90:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (117:124, 4%) 7 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (40:49, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (25:34, 7%) 7 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:200, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (108:114, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:89, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:76, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (128:134, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_unusual_system_vp_child_program.toml (63:69, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (101:109, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:112, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (117:123, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:109, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (64:70, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (23:29, 8%) 7 duplicated lines in: - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml (123:129, 5%) - rules_building_block/credential_access_win_private_key_access.toml (75:81, 8%) 7 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (116:124, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (40:48, 13%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:105, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:108, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:49, 13%) 7 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:134, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:63, 10%) 7 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (110:116, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:58, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:92, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (249:255, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (123:129, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:123, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:63, 10%) 7 duplicated lines in: - rules/_deprecated/execution_awk_binary_shell.toml (34:40, 16%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:87, 8%) 7 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:122, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:102, 7%) 7 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (89:96, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (90:97, 5%) 7 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (144:150, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:72, 8%) 7 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:137, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml (117:123, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:80, 8%) 7 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (43:49, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (45:51, 5%) 7 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (103:109, 7%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (66:72, 9%) 7 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (18:24, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:133, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:63, 8%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:51, 12%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (53:61, 11%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:112, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:109, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:61, 11%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:122, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:109, 5%) 7 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (110:116, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:108, 6%) 7 duplicated lines in: - rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml (85:91, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (131:137, 5%) - rules_building_block/execution_unsigned_service_executable.toml (56:62, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_sip_provider_mod.toml (64:70, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:29, 10%) 7 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:120, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (207:215, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (126:134, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:66, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:35, 12%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:229, 3%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:84, 8%) 7 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (250:256, 2%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:126, 5%) 7 duplicated lines in: - rules/_deprecated/execution_flock_binary.toml (33:39, 16%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (167:175, 3%) 7 duplicated lines in: - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml (26:35, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (24:33, 5%) 7 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (86:92, 7%) - rules_building_block/execution_unsigned_service_executable.toml (60:66, 9%) 7 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (168:174, 4%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:175, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:99, 7%) 7 duplicated lines in: - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml (109:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:120, 6%) 7 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (92:98, 7%) - rules_building_block/lateral_movement_at.toml (59:65, 10%) 7 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (108:114, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml (24:33, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:122, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (113:119, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:111, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:66, 8%) 7 duplicated lines in: - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml (19:25, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (23:29, 10%) 7 duplicated lines in: - rules/_deprecated/execution_interactive_exec_to_container.toml (105:111, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/linux/execution_interpreter_tty_upgrade.toml (110:116, 6%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (113:119, 5%) - rules_building_block/collection_posh_compression.toml (130:136, 5%) 7 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:193, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (141:149, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:70, 8%) 7 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (25:33, 17%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (76:84, 7%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (83:91, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (64:71, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (141:147, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:66, 10%) 7 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (164:172, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (47:55, 12%) 7 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (110:116, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:116, 6%) 7 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (97:103, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:67, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:100, 7%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:89, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:70, 10%) 7 duplicated lines in: - rules/windows/discovery_command_system_account.toml (92:98, 7%) - rules_building_block/discovery_security_software_wmic.toml (91:97, 7%) 7 duplicated lines in: - rules/macos/persistence_credential_access_authorization_plugin_creation.toml (104:110, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (49:55, 11%) 7 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (102:110, 5%) - rules_building_block/privilege_escalation_trap_execution.toml (43:49, 13%) 7 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (100:106, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:91, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:118, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:194, 3%) 7 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (64:71, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/network/discovery_potential_syn_port_scan_detected.toml (83:91, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (53:59, 11%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:84, 8%) 7 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (98:106, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:67, 8%) 7 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (95:101, 6%) 7 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (41:47, 6%) - rules_building_block/discovery_capnetraw_capability.toml (47:53, 9%) 7 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (119:125, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:118, 6%) 7 duplicated lines in: - rules/macos/credential_access_mitm_localhost_webproxy.toml (25:34, 7%) - rules_building_block/discovery_capnetraw_capability.toml (26:35, 9%) 7 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (153:159, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:83, 8%) 7 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (100:108, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (35:43, 13%) 7 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (110:118, 6%) - rules_building_block/discovery_posh_password_policy.toml (102:108, 6%) 7 duplicated lines in: - rules/windows/defense_evasion_wsl_child_process.toml (67:73, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (29:35, 8%) 7 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (98:106, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (61:69, 9%) 7 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:126, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:67, 8%) 7 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (57:64, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (47:54, 7%) 7 duplicated lines in: - rules/linux/privilege_escalation_sda_disk_mount_non_root.toml (103:111, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:43, 13%) 7 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (98:104, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:103, 6%) 7 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (150:156, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:80, 8%) 7 duplicated lines in: - rules/_deprecated/execution_cpulimit_binary.toml (36:42, 15%) - rules_building_block/discovery_posh_generic.toml (294:300, 2%) 7 duplicated lines in: - rules/windows/defense_evasion_workfolders_control_execution.toml (91:99, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (48:56, 11%) 7 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (113:121, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (85:93, 6%) 6 duplicated lines in: - rules/linux/persistence_xdg_autostart_netcon.toml (68:73, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/command_and_control_rdp_tunnel_plink.toml (104:109, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (103:110, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:92, 5%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (88:93, 4%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (62:67, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (80:86, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (84:90, 5%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (3:9, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (114:119, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (75:80, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (84:89, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml (92:98, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:60, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (105:111, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (40:46, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:50, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (133:138, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (69:74, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (110:115, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/network/command_and_control_cobalt_strike_beacon.toml (83:88, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (60:66, 10%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (76:82, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (100:105, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (123:128, 3%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml (90:95, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml (125:130, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (81:86, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml (127:132, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (38:43, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (65:70, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (63:68, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:54, 6%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (110:115, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:106, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (148:153, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (3:9, 11%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (3:9, 11%) 6 duplicated lines in: - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml (115:120, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (88:93, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (162:170, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_disable_selinux_attempt.toml (98:103, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (111:116, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (52:57, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (73:78, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (71:76, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_timestomp_touch.toml (30:35, 7%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (76:81, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (100:105, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_system_time_discovery.toml (14:19, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml (68:73, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (135:140, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (115:121, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (128:133, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (128:133, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (85:90, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (145:150, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/execution_github_new_event_action_for_pat.toml (3:9, 12%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:108, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (118:123, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (64:69, 8%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (14:19, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (83:89, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (76:82, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (71:76, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (101:106, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (154:160, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (116:121, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml (106:112, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/_deprecated/execution_linux_process_started_in_temp_directory.toml (41:47, 14%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (20:25, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/linux/persistence_rc_local_service_already_running.toml (57:62, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml (170:176, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (85:91, 5%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (118:124, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml (92:97, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (65:70, 4%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (91:97, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (75:80, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_kde_autostart_modification.toml (138:143, 2%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (83:88, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (148:153, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (58:63, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_outlook_email_archive.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (85:91, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (164:169, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (85:90, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (86:91, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (95:100, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (105:110, 3%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (106:111, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (67:72, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (203:209, 3%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (79:87, 5%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (2:8, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (3:9, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (154:159, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/persistence_dontexpirepasswd_account.toml (91:98, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/credential_access_generic_localdumps.toml (69:74, 5%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (163:169, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (164:169, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (164:169, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (42:48, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/persistence_linux_user_added_to_privileged_group.toml (117:122, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (147:152, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml (91:96, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (102:107, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (53:59, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (53:59, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (76:82, 6%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (66:71, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (74:80, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (21:26, 6%) - rules_building_block/execution_wmi_wbemtest.toml (29:34, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:126, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (148:153, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (112:117, 4%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/persistence_shell_configuration_modification.toml (53:58, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (67:72, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (55:60, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (77:82, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:120, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (63:68, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (78:83, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/execution_nc_listener_via_rlwrap.toml (87:92, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:186, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/cross-platform/initial_access_azure_o365_with_network_alert.toml (101:106, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (131:137, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (71:76, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (70:75, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (61:66, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (61:66, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:124, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:107, 6%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml (76:81, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_adidns_wpad_record.toml (81:86, 6%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (111:119, 4%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml (124:129, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (85:90, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (92:98, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (91:97, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (71:76, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (169:175, 3%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (113:118, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (91:96, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (99:104, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (40:46, 6%) - rules_building_block/discovery_net_view.toml (36:42, 6%) 6 duplicated lines in: - rules/windows/persistence_priv_escalation_via_accessibility_features.toml (170:175, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (84:90, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (94:99, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (105:111, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:151, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:54, 10%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (89:94, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (135:141, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (115:120, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (158:163, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (132:137, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (132:137, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (76:82, 8%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (77:82, 4%) - rules_building_block/discovery_security_software_wmic.toml (56:61, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (14:19, 10%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (15:20, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (83:88, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (52:57, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml (72:77, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (83:88, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (89:94, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml (87:92, 7%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (127:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (99:106, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (84:90, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (128:134, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:67, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (65:70, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (24:29, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (83:88, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (125:131, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (169:175, 3%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:98, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:56, 10%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/macos/persistence_loginwindow_plist_modification.toml (76:81, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_token_via_process_injection.toml (106:111, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (174:179, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (96:102, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml (89:94, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (109:114, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (98:103, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:45, 12%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/linux/persistence_dpkg_unusual_execution.toml (125:131, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml (95:100, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/persistence_github_new_pat_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (87:92, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (84:89, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (113:118, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/lateral_movement_unusual_remote_file_creation.toml (94:99, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/linux/persistence_etc_file_creation.toml (232:237, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (111:116, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (92:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (131:137, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (125:130, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:148, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (170:175, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_sts_get_federation_token.toml (89:95, 7%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (81:87, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (162:170, 3%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_container_util_misconfiguration.toml (60:65, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (185:190, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml (120:125, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (60:65, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (29:34, 8%) 6 duplicated lines in: - rules/network/command_and_control_fin7_c2_behavior.toml (44:49, 10%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (73:78, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (166:171, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (44:49, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (86:91, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (65:70, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (78:83, 4%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (63:69, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (79:85, 6%) - rules_building_block/discovery_generic_account_groups.toml (30:36, 6%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (23:28, 5%) - rules_building_block/execution_wmi_wbemtest.toml (29:34, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (75:80, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (98:103, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (66:71, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_init_d_file_creation.toml (142:147, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (106:111, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (99:104, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (86:91, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml (79:84, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml (130:135, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml (114:119, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (131:136, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (133:138, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (49:54, 7%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (60:65, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (84:90, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (92:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (102:108, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (104:109, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_destination_port.toml (82:87, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (112:119, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:92, 5%) 6 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:106, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (53:59, 10%) 6 duplicated lines in: - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml (107:112, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (41:47, 4%) - rules_building_block/discovery_security_software_wmic.toml (45:51, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (98:103, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/persistence_setuid_setgid_capability_set.toml (139:144, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (48:56, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (40:48, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/execution_github_new_event_action_for_pat.toml (3:9, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (88:93, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_pdf_written_file.toml (105:111, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml (147:152, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:143, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml (22:27, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (66:71, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (113:118, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (33:38, 8%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (90:96, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:48, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (84:89, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (83:89, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml (93:98, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (84:90, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (51:56, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (65:70, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml (51:56, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:186, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (115:121, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (66:71, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/persistence_via_lsa_security_support_provider_registry.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml (103:108, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (126:131, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (50:55, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (115:121, 5%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (153:158, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (140:146, 4%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (83:88, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (100:105, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/execution_shell_via_child_tcp_utility_linux.toml (127:132, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (54:59, 8%) - rules_building_block/execution_github_repo_created.toml (19:24, 14%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (63:68, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_file_creation_mult_extension.toml (99:104, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:161, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:153, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (63:68, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (124:129, 4%) - rules_building_block/execution_wmi_wbemtest.toml (47:52, 11%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (140:146, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (108:113, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (140:145, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:112, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (72:77, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (52:57, 7%) 6 duplicated lines in: - rules/_deprecated/persistence_shell_activity_by_web_server.toml (61:66, 7%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml (171:176, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (78:83, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml (79:85, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (128:134, 3%) - rules_building_block/collection_posh_compression.toml (90:96, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (125:130, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/persistence_scheduled_task_creation_winlog.toml (55:60, 7%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (106:112, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (155:160, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml (94:101, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (181:186, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (138:143, 3%) - rules_building_block/discovery_security_software_wmic.toml (95:100, 6%) 6 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (83:88, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (64:69, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (24:29, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (111:117, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml (90:95, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:90, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (118:125, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (3:9, 12%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (44:49, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (48:53, 5%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (79:84, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:153, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml (86:91, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (102:107, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:175, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:140, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:140, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (109:114, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:46, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:115, 5%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/persistence_service_dll_unsigned.toml (198:203, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (107:112, 4%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (140:145, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml (96:101, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (81:87, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml (99:104, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (147:152, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_chattr_immutable_file.toml (96:101, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (43:48, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (36:41, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (28:33, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (45:51, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:50, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (60:66, 10%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (86:91, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (67:72, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (52:57, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (128:133, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (128:133, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (83:88, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (131:136, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (153:158, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (60:65, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (107:112, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_address.toml (87:92, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (24:29, 10%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (42:47, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (154:159, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (40:46, 6%) - rules_building_block/discovery_security_software_wmic.toml (45:51, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (119:125, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/credential_access_moving_registry_hive_via_smb.toml (101:106, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (103:108, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (127:132, 4%) - rules_building_block/collection_archive_data_zip_imageload.toml (57:62, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (132:137, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (44:49, 6%) - rules_building_block/discovery_security_software_wmic.toml (49:54, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (169:175, 3%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (26:33, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (58:65, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (15:20, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (42:47, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (101:106, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (130:135, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (130:135, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (128:133, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (103:108, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (61:66, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (155:160, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (98:103, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (153:158, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (111:117, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_right_to_left_override.toml (101:106, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml (80:86, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (79:84, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (118:123, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (48:53, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_file_created.toml (107:112, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (94:99, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (23:28, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_prctl_process_name_tampering.toml (105:111, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (85:91, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (84:89, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (51:56, 8%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (146:151, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (69:74, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (23:28, 4%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (65:70, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (63:68, 6%) - rules_building_block/lateral_movement_at.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:168, 3%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (96:103, 5%) - rules_building_block/discovery_posh_password_policy.toml (89:96, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (108:113, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (162:170, 3%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (47:52, 7%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (83:88, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (142:148, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (21:26, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (24:29, 8%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_registry.toml (81:86, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (45:51, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:42, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (78:83, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (136:142, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (85:90, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (41:47, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (44:50, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (58:63, 7%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (65:70, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_disable_uac_registry.toml (133:138, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (114:119, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (114:119, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (91:97, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (84:89, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (93:98, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (156:161, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (58:63, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (107:112, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (183:188, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (72:77, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (98:103, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (88:94, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:107, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (38:43, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (104:109, 6%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (44:49, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (107:112, 4%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (80:85, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (33:38, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (92:98, 4%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (111:119, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (134:140, 4%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (113:120, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:92, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (69:74, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (83:88, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (144:150, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/command_and_control_headless_browser.toml (56:61, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:143, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (87:92, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/command_and_control_tunneling_via_earthworm.toml (155:160, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_untrusted_driver_loaded.toml (84:89, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:118, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (331:337, 1%) - rules_building_block/collection_posh_compression.toml (90:96, 4%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (111:116, 4%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (103:108, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml (59:64, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (2:8, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (3:9, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (73:78, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:98, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:54, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (75:80, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (93:98, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (145:150, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (63:68, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (77:83, 5%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (45:51, 6%) - rules_building_block/discovery_security_software_wmic.toml (45:51, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (94:101, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (111:116, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (101:106, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/impact_memory_swap_modification.toml (92:98, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (111:116, 2%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml (94:99, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (82:87, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:60, 6%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (88:93, 4%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml (102:107, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (128:133, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml (102:108, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (135:141, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (153:158, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (42:47, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml (71:76, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (92:98, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (65:70, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/windows/credential_access_ldap_attributes.toml (75:80, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml (101:106, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml (122:127, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (106:112, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (111:119, 4%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (84:89, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (52:57, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (21:26, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (24:29, 3%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (134:139, 4%) 6 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml (114:120, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (62:67, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (84:90, 5%) - rules_building_block/discovery_generic_account_groups.toml (30:36, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_index_file.toml (102:107, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (111:117, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (133:139, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (143:148, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (92:97, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (106:111, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (52:57, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (95:101, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (106:111, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (142:148, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml (50:56, 12%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (73:78, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:168, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:54, 10%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml (115:120, 5%) - rules_building_block/collection_posh_compression.toml (126:131, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (77:82, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/command_and_control_sunburst_c2_activity_detected.toml (131:136, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/collection_posh_keylogger.toml (51:56, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (15:20, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml (44:50, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (159:167, 3%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (95:101, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:154, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:60, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (83:89, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (64:69, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml (22:27, 8%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (128:133, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (128:133, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (85:90, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (85:90, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (82:87, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (72:77, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (49:54, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (94:99, 6%) - rules_building_block/discovery_security_software_wmic.toml (95:100, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (104:109, 1%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/command_and_control_tool_transfer_via_curl.toml (67:72, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (137:142, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (92:98, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml (90:95, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (130:135, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (88:93, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (32:38, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (155:161, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_generic_process_discovery.toml (14:19, 10%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (78:83, 4%) - rules_building_block/discovery_net_share_discovery_winlog.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (223:228, 2%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (124:130, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (3:9, 13%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_system_network_connections.toml (19:24, 13%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (100:105, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (141:147, 4%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml (125:130, 5%) - rules_building_block/discovery_win_network_connections.toml (53:58, 9%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:112, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (52:57, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (45:50, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml (34:39, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (23:28, 11%) 6 duplicated lines in: - rules/cross-platform/impact_hosts_file_modified.toml (58:63, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:54, 6%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (65:70, 6%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml (92:97, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (43:48, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:67, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (148:156, 3%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_generator_creation.toml (136:142, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (172:177, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (172:177, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (38:43, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (174:179, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (174:179, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:130, 5%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (63:68, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:127, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (135:140, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml (73:78, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:127, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (75:80, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (43:48, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (47:52, 11%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (60:65, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (124:129, 4%) - rules_building_block/lateral_movement_wmic_remote.toml (69:74, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_via_wsus_update.toml (21:26, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (20:25, 10%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_iniscript.toml (117:124, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/execution_downloaded_url_file.toml (73:78, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (47:52, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (51:56, 5%) - rules_building_block/discovery_security_software_wmic.toml (48:53, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (70:75, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:25, 3%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (83:89, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (92:98, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (97:103, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (126:131, 4%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (59:64, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (51:56, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/impact_ransomware_file_rename_smb.toml (100:105, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (78:84, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_prevented.toml (80:86, 7%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (113:119, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/execution_shell_via_java_revshell_linux.toml (131:136, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (63:68, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:186, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (32:37, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/impact_github_user_blocked_from_organization.toml (3:9, 14%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (85:90, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml (46:51, 12%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (69:74, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:168, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:56, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (84:89, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/discovery_virtual_machine_fingerprinting.toml (123:128, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_file_mod_writable_dir.toml (62:67, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (59:64, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (85:90, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml (104:109, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml (104:110, 6%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (80:85, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (88:94, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (66:71, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_child_spawned.toml (143:148, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/execution_scheduled_task_powershell_source.toml (64:69, 6%) - rules_building_block/execution_wmi_wbemtest.toml (29:34, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (40:46, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:42, 6%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (63:68, 6%) - rules_building_block/discovery_net_view.toml (52:57, 6%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:113, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:113, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/credential_access_lsass_loaded_susp_dll.toml (143:148, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (79:84, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (21:26, 7%) - rules_building_block/discovery_net_view.toml (58:63, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (172:177, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (172:177, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (45:51, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (162:170, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (73:81, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (70:75, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/persistence_system_shells_via_services.toml (134:139, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (79:85, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:44, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (146:151, 3%) - rules_building_block/execution_wmi_wbemtest.toml (47:52, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (205:212, 3%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/collection_posh_mailbox.toml (82:87, 5%) - rules_building_block/collection_posh_compression.toml (41:46, 4%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_fastpass_phishing.toml (80:85, 8%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (41:46, 6%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (79:84, 4%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml (120:125, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (59:65, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (141:146, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_rename_esxi_files.toml (103:108, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/command_and_control_screenconnect_childproc.toml (20:25, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (20:25, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (88:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_sc_sdset.toml (100:105, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/persistence_user_credential_modification_via_echo.toml (77:82, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_security_software_wmic.toml (14:19, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (73:78, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (93:98, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml (97:102, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (85:90, 6%) - rules_building_block/credential_access_win_private_key_access.toml (25:30, 7%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (65:70, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:143, 3%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (124:129, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (62:67, 9%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (95:100, 4%) - rules_building_block/discovery_security_software_wmic.toml (49:54, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/persistence_via_update_orchestrator_service_hijack.toml (161:166, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (141:146, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (85:90, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (85:90, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (52:57, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (102:107, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (67:72, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (133:139, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (180:185, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_from_unusual_directory.toml (95:100, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml (45:51, 6%) - rules_building_block/discovery_net_view.toml (36:42, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml (158:163, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (66:71, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml (126:132, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (109:115, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/persistence_potential_persistence_script_executable_bit_set.toml (87:92, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (84:89, 7%) - rules_building_block/discovery_net_view.toml (92:97, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (148:156, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (73:81, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:112, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (78:84, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (192:197, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (128:134, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (154:159, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml (163:168, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (182:187, 3%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml (58:63, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (143:148, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_find.toml (91:96, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (63:69, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (74:79, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (83:89, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (79:84, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (109:114, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_pdf_reader.toml (78:83, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:155, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:54, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (3:9, 12%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_at.toml (55:60, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (131:136, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (101:106, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (48:56, 7%) - rules_building_block/discovery_security_software_wmic.toml (41:49, 6%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (133:139, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:71, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/impact_potential_bruteforce_malware_infection.toml (147:152, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:98, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (65:71, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml (90:95, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_ms_office_written_file.toml (99:105, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (91:97, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (67:72, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (37:42, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (115:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (146:151, 3%) - rules_building_block/discovery_security_software_wmic.toml (95:100, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (119:125, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (94:100, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (22:27, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (85:90, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (55:60, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (162:167, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (130:136, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (76:82, 8%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (132:137, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (100:105, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (88:94, 4%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (134:140, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (194:200, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml (75:80, 6%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (67:72, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (112:117, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (84:89, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (115:120, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_relay_tools.toml (88:94, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (107:112, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (26:33, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (58:65, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (59:64, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (66:71, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:103, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:103, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (69:74, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/cross-platform/discovery_security_software_grep.toml (67:72, 4%) - rules_building_block/discovery_win_network_connections.toml (30:36, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:60, 6%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (123:128, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml (122:127, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (48:56, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (32:40, 6%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (101:107, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (107:112, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (107:112, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (76:81, 5%) - rules_building_block/collection_posh_compression.toml (41:46, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:112, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/discovery_system_network_connections.toml (19:24, 13%) 6 duplicated lines in: - rules/linux/persistence_suspicious_file_opened_through_editor.toml (59:64, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (170:175, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/persistence_browser_extension_install.toml (94:101, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml (102:107, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (197:202, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (126:131, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (126:131, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (156:161, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:67, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (94:99, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/persistence_via_hidden_run_key_valuename.toml (114:119, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (3:9, 11%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (112:117, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (101:106, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (3:9, 11%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:60, 7%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (47:52, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (118:124, 5%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml (130:136, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:67, 7%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (84:89, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml (127:132, 4%) - rules_building_block/collection_posh_compression.toml (118:123, 4%) 6 duplicated lines in: - rules/linux/command_and_control_telegram_api_request.toml (57:62, 7%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (68:73, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (42:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (40:45, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (138:143, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (110:115, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml (104:109, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (77:82, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_posh_token_impersonation.toml (92:97, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (133:139, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (120:126, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (32:38, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (115:120, 5%) - rules_building_block/execution_unsigned_service_executable.toml (78:83, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (82:87, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:114, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_audit_policy_disabled_winlog.toml (44:49, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/execution_network_event_post_compilation.toml (121:127, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (103:108, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (102:108, 5%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_credroaming_ldap.toml (77:82, 6%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (79:87, 5%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (123:129, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (110:115, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (110:115, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (97:102, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (65:70, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (21:26, 6%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (24:29, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (54:59, 8%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (88:93, 4%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (94:99, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (72:78, 5%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (51:56, 8%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (110:116, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (143:149, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (48:56, 7%) - rules_building_block/discovery_net_view.toml (32:40, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (95:101, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (125:131, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/macos/discovery_users_domain_built_in_commands.toml (106:111, 5%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml (115:121, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (40:45, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (23:28, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (24:29, 8%) 6 duplicated lines in: - rules/integrations/aws/initial_access_password_recovery.toml (85:90, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (95:100, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (41:47, 4%) - rules_building_block/discovery_net_view.toml (36:42, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (126:132, 5%) - rules_building_block/lateral_movement_at.toml (55:60, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_expired_driver_loaded.toml (88:93, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (54:59, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (77:82, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (58:63, 6%) - rules_building_block/execution_unsigned_service_executable.toml (23:28, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (52:57, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (74:79, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (103:109, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (115:121, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (110:115, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/credential_access_rare_webdav_destination.toml (43:48, 8%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (95:100, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (78:83, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (328:336, 1%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (110:115, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (135:141, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (120:125, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/linux/persistence_yum_package_manager_plugin_file_creation.toml (148:154, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (73:78, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (132:137, 4%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml (66:71, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml (50:55, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (31:37, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/execution_github_repo_created.toml (3:9, 14%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (105:110, 3%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml (106:112, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_ec2_network_acl_creation.toml (73:78, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (34:39, 5%) 6 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (91:96, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/impact_github_pat_access_revoked.toml (3:9, 14%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (37:42, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (99:104, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (104:109, 2%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml (115:120, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_shell_via_meterpreter_linux.toml (136:141, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (119:125, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (159:167, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (108:113, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (138:143, 3%) - rules_building_block/lateral_movement_wmic_remote.toml (69:74, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml (58:63, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (89:94, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (63:68, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (125:133, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/persistence_github_new_pat_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (60:65, 5%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:151, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:76, 8%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (125:133, 3%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_task_creation_winlog.toml (64:69, 8%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/linux/execution_netcon_from_rwx_mem_region_binary.toml (44:49, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (79:84, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (125:133, 3%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (23:28, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (29:34, 7%) 6 duplicated lines in: - rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml (58:63, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml (135:141, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (84:89, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (2:8, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (3:9, 6%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (95:100, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml (99:104, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_scripts.toml (106:111, 4%) - rules_building_block/discovery_security_software_wmic.toml (49:54, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (74:80, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml (107:112, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (159:164, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml (32:38, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml (66:71, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml (78:83, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (49:54, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (93:98, 3%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (22:27, 6%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml (104:109, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (93:99, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (21:26, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (51:56, 8%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/macos/lateral_movement_mounting_smb_share.toml (104:109, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml (120:125, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (83:89, 5%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/execution_register_server_program_connecting_to_the_internet.toml (149:154, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml (63:68, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (29:34, 8%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (76:82, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (153:158, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml (153:158, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (67:72, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_mmc20.toml (102:107, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (144:151, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (92:98, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml (95:101, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml (30:35, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (102:107, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (81:86, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (78:83, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (163:168, 3%) - rules_building_block/collection_archive_data_zip_imageload.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (137:143, 4%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (46:52, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/persistence_suspicious_scheduled_task_runtime.toml (131:136, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (79:84, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (60:65, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:107, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (158:164, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (84:89, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml (86:91, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (76:82, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (45:51, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (95:100, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/execution_suspicious_cmd_wmi.toml (94:99, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (69:74, 8%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (47:52, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (66:71, 7%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (127:132, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (158:165, 3%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/initial_access_scripts_process_started_via_wmi.toml (124:129, 4%) - rules_building_block/discovery_security_software_wmic.toml (95:100, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (159:167, 3%) - rules_building_block/discovery_posh_generic.toml (148:156, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (113:118, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml (104:109, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml (92:97, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:168, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (24:29, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (98:104, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (98:103, 5%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (84:89, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (118:124, 5%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (123:128, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/discovery_linux_hping_activity.toml (105:110, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (59:64, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_openssl_passwd_hash_generation.toml (89:94, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml (101:106, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/promotions/execution_endgame_exploit_detected.toml (78:84, 7%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_suspicious_proc_enumeration.toml (40:46, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (25:30, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (84:89, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (90:95, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (67:72, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/credential_access_dcsync_user_backdoor.toml (102:109, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (328:336, 1%) - rules_building_block/collection_posh_compression.toml (80:88, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (112:117, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (168:173, 3%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (143:148, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (282:287, 2%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (152:157, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (47:52, 11%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (161:167, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (83:88, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/command_and_control_common_webservices.toml (136:141, 1%) - rules_building_block/command_and_control_bitsadmin_activity.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_shadow_file_read.toml (116:122, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (135:140, 3%) - rules_building_block/discovery_of_domain_groups.toml (44:49, 12%) 6 duplicated lines in: - rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml (110:115, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml (84:89, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (60:66, 10%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (78:84, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (103:108, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:153, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:56, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (84:89, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml (43:48, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:140, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_service_creation.toml (135:140, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (66:71, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (67:72, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_root_certificate_installation.toml (94:100, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (91:96, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml (111:116, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (124:129, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (85:90, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_psexesvc.toml (96:101, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (61:66, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (64:69, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml (65:70, 7%) - rules_building_block/execution_aws_lambda_function_updated.toml (38:43, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (48:54, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (52:57, 8%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (103:108, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (76:82, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/discovery_generic_account_groups.toml (29:35, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (148:153, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:71, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_enabled_registry.toml (76:82, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (3:9, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (165:170, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (84:90, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_instance_made_public.toml (100:105, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/linux/persistence_bpf_probe_write_user.toml (78:83, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (135:140, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (14:19, 5%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml (109:114, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/linux/persistence_insmod_kernel_module_load.toml (112:117, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (85:90, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (102:107, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (117:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (117:122, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:155, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:114, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (82:87, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml (65:70, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (83:89, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (87:92, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (107:112, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_db_instance_password_modified.toml (99:104, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (44:50, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/windows/collection_posh_clipboard_capture.toml (81:86, 4%) - rules_building_block/collection_posh_compression.toml (41:46, 4%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (45:50, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (81:87, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_log_files_deleted.toml (98:103, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (81:86, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_driver_newterm_imphash.toml (144:150, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (133:139, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:112, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml (119:124, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_ld_so_creation.toml (92:98, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (107:114, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml (86:91, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:60, 7%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (69:74, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (84:89, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (118:123, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (162:170, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (64:72, 5%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (84:89, 6%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml (112:118, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (81:87, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (134:140, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (132:138, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (105:110, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml (105:110, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (91:97, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (76:82, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (37:43, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (67:72, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml (110:115, 5%) - rules_building_block/discovery_generic_account_groups.toml (65:70, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_manual_dracut_execution.toml (84:89, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (74:79, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml (16:21, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_zoom_child_process.toml (145:150, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (22:27, 7%) - rules_building_block/discovery_system_time_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (79:84, 3%) - rules_building_block/discovery_net_view.toml (59:64, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (115:121, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (102:107, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (83:88, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/integrations/azure/defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml (134:139, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_wmi_script.toml (92:97, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (117:122, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (117:122, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (119:125, 5%) - rules_building_block/collection_archive_data_zip_imageload.toml (57:62, 9%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml (90:95, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (82:87, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (91:96, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_create_process_as_different_user.toml (58:63, 7%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_powershell_remoting_target.toml (70:75, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (46:51, 5%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (79:84, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (76:82, 8%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:113, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (108:113, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_service_installed_winlog.toml (56:61, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (27:32, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml (75:80, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_kalilinux.toml (79:85, 6%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (88:93, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (46:51, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (96:101, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/persistence_systemd_service_creation.toml (240:246, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (99:104, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (174:179, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (98:104, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (124:129, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (125:130, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (174:179, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/persistence_browser_extension_install.toml (61:66, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (63:68, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (111:118, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml (86:91, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (148:156, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (64:72, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (117:124, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (38:43, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (132:137, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (68:73, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (114:119, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (114:119, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/discovery_esxi_software_via_grep.toml (90:95, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (84:90, 5%) - rules_building_block/discovery_windows_system_information_discovery.toml (38:44, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml (131:136, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (72:77, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (164:169, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (164:169, 3%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (92:97, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_creation.toml (148:153, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:127, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (117:122, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/linux/privilege_escalation_unshare_namespace_manipulation.toml (117:122, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/execution_mofcomp.toml (27:32, 5%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/execution_shell_via_lolbin_interpreter_linux.toml (142:147, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (42:47, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (79:87, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (22:27, 11%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (60:66, 10%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml (99:104, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:71, 7%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml (80:85, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (84:90, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/macos/lateral_movement_vpn_connection_attempt.toml (106:111, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (3:9, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (133:139, 3%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (29:35, 2%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/windows/execution_downloaded_shortcut_files.toml (21:26, 6%) - rules_building_block/execution_wmi_wbemtest.toml (29:34, 11%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml (71:76, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (140:146, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (94:101, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml (122:127, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (31:37, 3%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (45:51, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (88:93, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (85:90, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (96:101, 1%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (154:160, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (79:86, 6%) - rules_building_block/collection_archive_data_zip_imageload.toml (52:59, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (141:147, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/persistence_suspicious_service_created_registry.toml (104:109, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (117:122, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (146:151, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_parent_process_pid_spoofing.toml (25:30, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (24:29, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml (67:72, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (106:111, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_wmic_remote.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (111:116, 3%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (65:70, 4%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:160, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (76:82, 4%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/command_and_control_screenconnect_childproc.toml (68:73, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:143, 3%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml (93:98, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml (98:103, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/linux/persistence_lkm_configuration_file_creation.toml (20:25, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (51:56, 8%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (85:90, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (82:88, 4%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (79:85, 5%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml (20:25, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (60:65, 5%) - rules_building_block/lateral_movement_at.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_user_discovery.toml (124:129, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (42:47, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml (96:101, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (159:167, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (73:81, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml (68:73, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/privilege_escalation_persistence_phantom_dll.toml (193:198, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (112:118, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (88:93, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (61:66, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml (133:139, 4%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (328:336, 1%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml (54:59, 9%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (59:64, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/impact_ransomware_note_file_over_smb.toml (100:105, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (177:183, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (112:117, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_netcon.toml (131:136, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:114, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (21:26, 11%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (128:133, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (2:8, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (3:9, 6%) 6 duplicated lines in: - rules/windows/persistence_user_account_creation.toml (63:68, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (54:59, 8%) - rules_building_block/execution_github_new_event_action_for_pat.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (88:93, 4%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_group_deletion.toml (64:69, 8%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (79:84, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (161:166, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (66:71, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_internal.toml (100:105, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/command_and_control_telegram_api_request.toml (57:62, 7%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (21:26, 7%) - rules_building_block/discovery_security_software_wmic.toml (56:61, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (116:122, 5%) - rules_building_block/lateral_movement_at.toml (55:60, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_evasion_hidden_local_account_creation.toml (71:77, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_veeam_sql.toml (75:80, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_root_dir_ads_creation.toml (65:70, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml (90:95, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml (87:92, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (101:107, 6%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (89:94, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/collection_email_outlook_mailbox_via_com.toml (24:29, 5%) - rules_building_block/collection_files_staged_in_recycle_bin_root.toml (23:28, 11%) 6 duplicated lines in: - rules/linux/discovery_polkit_version_discovery.toml (79:84, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (328:336, 1%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (73:81, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (118:124, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (66:71, 7%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/linux/discovery_linux_nping_activity.toml (105:110, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/privilege_escalation_group_policy_scheduled_task.toml (86:91, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (43:48, 6%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:186, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/integrations/aws/impact_s3_object_versioning_disabled.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_ssl_certificate_deletion.toml (88:94, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml (71:76, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (129:135, 5%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_execution.toml (137:142, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (141:147, 1%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (63:68, 5%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (23:28, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (53:58, 5%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/credential_access_veeam_backup_dll_imageload.toml (78:83, 6%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (19:24, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (58:63, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/impact_github_member_removed_from_organization.toml (3:9, 14%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (103:110, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (71:76, 5%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml (259:264, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (85:90, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_suspicious_powershell_imgload.toml (110:116, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/discovery_process_capabilities.toml (46:51, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_load.toml (108:113, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (65:70, 4%) - rules_building_block/execution_unsigned_service_executable.toml (22:27, 8%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/command_and_control_certreq_postdata.toml (148:153, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (49:54, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (141:147, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml (161:166, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_office_child_process.toml (163:168, 3%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:76, 8%) 6 duplicated lines in: - rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml (93:98, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (82:87, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/privilege_escalation_via_rogue_named_pipe.toml (64:69, 6%) - rules_building_block/discovery_net_view.toml (52:57, 6%) 6 duplicated lines in: - rules/linux/persistence_web_server_sus_command_execution.toml (153:158, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (94:99, 4%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_simple_web_server_connection_accepted.toml (47:52, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (135:141, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml (125:130, 5%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/linux/persistence_at_job_creation.toml (133:138, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_dnsnode_creation.toml (85:90, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (22:27, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/execution_posh_portable_executable.toml (134:140, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml (93:98, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:76, 8%) 6 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (177:182, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (81:87, 4%) - rules_building_block/discovery_system_time_discovery.toml (38:44, 10%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_hash.toml (86:91, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (153:158, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/lateral_movement_dcom_hta.toml (63:68, 6%) - rules_building_block/lateral_movement_at.toml (29:34, 8%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (84:89, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (46:52, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml (117:122, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (153:158, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_location.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (102:108, 5%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (87:92, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (163:168, 3%) - rules_building_block/collection_posh_compression.toml (118:123, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_psexec_lateral_movement_command.toml (63:68, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_systemd_scheduled_timer_created.toml (147:152, 3%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (57:62, 6%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/persistence_shared_object_creation.toml (194:200, 3%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml (104:110, 6%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (132:138, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (75:80, 5%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml (98:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_snapshot_deleted.toml (29:34, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (32:37, 10%) 6 duplicated lines in: - rules/macos/credential_access_dumping_hashes_bi_cmds.toml (101:106, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (53:58, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (91:97, 5%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_windefend_unusual_path.toml (73:78, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (169:175, 3%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (92:97, 7%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_interactive_process_inside_container.toml (76:82, 8%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (95:100, 4%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_exploit_cve_202238028.toml (101:106, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (55:60, 10%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (102:107, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (42:47, 11%) 6 duplicated lines in: - rules/windows/collection_posh_audio_capture.toml (83:89, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/linux/discovery_port_scanning_activity_from_compromised_host.toml (104:111, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:92, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (83:88, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (95:100, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (52:57, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (109:114, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (77:82, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_potential_processherpaderping.toml (25:30, 11%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/persistence_powershell_profiles.toml (150:155, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/credential_access_posh_minidump.toml (50:55, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_user_or_group_creation_or_modification.toml (60:65, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (153:158, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_it_worm_download.toml (82:87, 5%) - rules_building_block/discovery_capnetraw_capability.toml (45:50, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_remote_password_reset.toml (106:111, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (46:52, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (47:53, 6%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (114:121, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/execution_via_mmc_console_file_unusual_path.toml (121:126, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/discovery_active_directory_webservice.toml (22:27, 7%) - rules_building_block/discovery_system_service_discovery.toml (30:35, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml (114:119, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (55:61, 10%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (82:88, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (149:155, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (162:167, 3%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (88:93, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (81:87, 5%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/_deprecated/execution_suspicious_jar_child_process.toml (102:108, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (51:56, 8%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (131:136, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml (146:151, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (70:75, 8%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (52:57, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (109:114, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml (84:89, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/credential_access_dollar_account_relay.toml (61:66, 6%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (22:27, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (96:101, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (90:95, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_win_network_connections.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (152:157, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (259:265, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (86:91, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/azure/initial_access_external_guest_user_invite.toml (91:96, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (51:56, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (47:52, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:113, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:113, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml (99:104, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (81:86, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/collection_posh_screen_grabber.toml (84:90, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_system_service_discovery.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/credential_access_remote_sam_secretsdump.toml (107:112, 6%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (22:27, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:54, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_sccm_scnotification_dll.toml (75:80, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml (43:48, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml (91:96, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (61:66, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_exim4_child_process.toml (55:61, 10%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (23:28, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (49:54, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (63:69, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/execution_windows_script_from_internet.toml (115:120, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (129:134, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:151, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_wmi.toml (101:106, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (130:135, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (130:135, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml (108:113, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_group_creation.toml (64:69, 7%) - rules_building_block/defense_evasion_aws_rds_snapshot_created.toml (31:36, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml (90:95, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (83:88, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_net_view.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (112:119, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (37:42, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/linux/command_and_control_curl_socks_proxy_detected.toml (58:63, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/threat_intel/threat_intel_indicator_match_url.toml (97:102, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (126:131, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (100:105, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (68:73, 4%) - rules_building_block/credential_access_mdmp_file_unusual_extension.toml (23:28, 8%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (59:64, 10%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/linux/initial_access_first_time_public_key_authentication.toml (83:88, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml (35:40, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (23:28, 11%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (94:100, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/discovery_suspicious_memory_grep_activity.toml (62:67, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (195:200, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/lateral_movement_rdp_sharprdp_target.toml (26:31, 6%) - rules_building_block/lateral_movement_at.toml (29:34, 8%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (89:94, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/command_and_control_dns_tunneling_nslookup.toml (87:92, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_internet_capabilities.toml (55:61, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml (64:69, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (104:109, 2%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (148:156, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (68:76, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (57:62, 8%) 6 duplicated lines in: - rules/linux/persistence_grub_configuration_creation.toml (88:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/macos/execution_script_via_automator_workflows.toml (98:103, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_rundll32_no_arguments.toml (104:109, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/persistence_systemd_service_started.toml (212:217, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (88:94, 3%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml (102:107, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_unusual_preload_env_vars.toml (58:63, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_kworker_file_creation.toml (179:186, 3%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_linux_group_creation.toml (102:107, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_source_download.toml (83:89, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_capnetraw_capability.toml (83:88, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (132:137, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (132:137, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (118:123, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml (131:136, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (96:101, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (80:85, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_utility.toml (128:133, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/persistence_app_compat_shim.toml (72:78, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/credential_access_kirbi_file.toml (65:70, 6%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (105:110, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/aws/impact_rds_snapshot_deleted.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (115:120, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/initial_access_execution_remote_via_msiexec.toml (119:124, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/macos/persistence_suspicious_calendar_modification.toml (105:110, 6%) - rules_building_block/privilege_escalation_trap_execution.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (77:82, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (29:34, 6%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (53:59, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (53:59, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/linux/discovery_security_file_access_via_common_utility.toml (85:90, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (171:176, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (44:49, 2%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (92:97, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml (143:149, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml (109:114, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (79:84, 8%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (78:83, 8%) 6 duplicated lines in: - rules/windows/persistence_evasion_registry_ifeo_injection.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_internet_capabilities.toml (42:47, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/macos/lateral_movement_remote_ssh_login_enabled.toml (102:107, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (63:68, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml (51:56, 8%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (74:79, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_sts_role_chaining.toml (120:125, 5%) - rules_building_block/lateral_movement_wmic_remote.toml (65:70, 8%) 6 duplicated lines in: - rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml (116:122, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (75:80, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (45:50, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_business_apps_installer.toml (205:210, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/persistence_appinitdlls_registry.toml (130:136, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:155, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:56, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml (41:46, 6%) - rules_building_block/discovery_security_software_wmic.toml (48:53, 6%) 6 duplicated lines in: - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml (111:116, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/execution_shell_via_suspicious_binary.toml (135:140, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:127, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_network_manager_dispatcher_persistence.toml (122:127, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (60:65, 5%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (93:99, 6%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (102:108, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (112:119, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (155:160, 4%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (60:65, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml (86:91, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (77:82, 7%) 6 duplicated lines in: - rules/linux/persistence_pth_file_creation.toml (119:126, 4%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (125:131, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (103:108, 5%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/lateral_movement_ssh_process_launched_inside_container.toml (109:115, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml (114:120, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml (28:33, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_service_control_spawned_script_int.toml (138:143, 3%) - rules_building_block/execution_wmi_wbemtest.toml (47:52, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_process_injection.toml (92:98, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/windows/credential_access_imageload_azureadconnectauthsvc.toml (61:66, 6%) - rules_building_block/credential_access_win_private_key_access.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (133:138, 3%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_linux_shell_activity_via_web_server.toml (94:99, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (99:104, 4%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml (130:136, 4%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (161:166, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/windows/credential_access_posh_invoke_ninjacopy.toml (63:69, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (57:64, 7%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/command_and_control_teamviewer_remote_file_copy.toml (120:127, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (49:56, 9%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_at.toml (55:60, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/persistence_registry_uncommon.toml (60:65, 3%) - rules_building_block/persistence_startup_folder_lnk.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/credential_access_credential_dumping_msbuild.toml (153:158, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (41:46, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (2:8, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (3:9, 6%) 6 duplicated lines in: - rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml (120:127, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (85:92, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (130:135, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (123:128, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (123:128, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (103:108, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/discovery_proc_maps_read.toml (52:57, 6%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (106:113, 6%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (87:92, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (161:166, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml (149:154, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (68:73, 3%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/credential_access_veeam_commands.toml (81:87, 5%) - rules_building_block/command_and_control_bitsadmin_activity.toml (39:45, 7%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/credential_access_ssh_backdoor_log.toml (145:152, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (84:89, 6%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_path_invocation_from_command_line.toml (126:132, 5%) - rules_building_block/execution_unsigned_service_executable.toml (73:79, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml (96:101, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (94:99, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (89:94, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (149:154, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/integrations/aws/impact_iam_group_deletion.toml (70:75, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_console_history.toml (81:87, 5%) - rules_building_block/discovery_system_service_discovery.toml (39:45, 10%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/linux/persistence_kernel_object_file_creation.toml (112:118, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (76:82, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (102:107, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml (90:96, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_automation_account_created.toml (74:79, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (46:51, 8%) 6 duplicated lines in: - rules/linux/discovery_kernel_module_enumeration.toml (123:129, 5%) - rules_building_block/discovery_signal_unusual_user_host.toml (47:53, 11%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (159:164, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_service_disabled_registry.toml (57:62, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (71:76, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml (140:146, 4%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (19:24, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (109:114, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (74:79, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_task_creation.toml (62:67, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_scheduled_task_target.toml (76:81, 7%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (97:102, 5%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/aws/persistence_rds_cluster_creation.toml (99:104, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (39:45, 5%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (44:49, 8%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml (95:100, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (45:50, 10%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (76:84, 3%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (43:51, 4%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (19:24, 8%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/windows/persistence_webshell_detection.toml (23:28, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (20:25, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (37:42, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (101:106, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (111:117, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_creation.toml (26:33, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (58:65, 3%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:155, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (71:76, 8%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (102:107, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_invoke_sharefinder.toml (41:47, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (36:42, 6%) 6 duplicated lines in: - rules/linux/persistence_linux_user_account_creation.toml (101:106, 5%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml (89:94, 6%) - rules_building_block/persistence_github_new_user_added_to_organization.toml (36:41, 13%) 6 duplicated lines in: - rules/windows/credential_access_rare_webdav_destination.toml (43:48, 8%) - rules_building_block/credential_access_mdmp_file_creation.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_generic_account_groups.toml (22:27, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_anomalous_user_name.toml (85:90, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (39:44, 6%) 6 duplicated lines in: - rules/linux/execution_system_binary_file_permission_change.toml (107:113, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (93:100, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (74:79, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (152:157, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml (152:157, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml (102:109, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (84:91, 5%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files.toml (61:66, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (123:128, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (123:128, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load_by_non_root.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml (15:20, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (24:29, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/privilege_escalation_trap_execution.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/linux/execution_shell_openssl_client_or_server.toml (124:129, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/privilege_escalation_lsa_auth_package.toml (31:37, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (108:113, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/persistence_suspicious_com_hijack_registry.toml (54:59, 3%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (3:9, 11%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/execution_file_made_executable_via_chmod_inside_container.toml (99:105, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (89:96, 6%) 6 duplicated lines in: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (168:173, 3%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (50:55, 8%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (92:97, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/exfiltration_potential_curl_data_exfiltration.toml (60:65, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (103:108, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/linux/persistence_git_hook_execution.toml (123:128, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/linux/discovery_unusual_user_enumeration_via_id.toml (46:51, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (100:107, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (91:96, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_iis_httplogging_disabled.toml (66:71, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml (87:92, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (3:9, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_unusual_pam_grantor.toml (86:91, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (93:99, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/impact_github_member_removed_from_organization.toml (3:9, 14%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:60, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_via_filter_manager.toml (107:112, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/persistence_services_registry.toml (63:68, 4%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_base64_decoding_activity.toml (130:135, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (106:112, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_netcon_via_sudo_binary.toml (106:112, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_windows_filtering_platform.toml (80:85, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/defense_evasion_service_path_registry.toml (47:54, 7%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_file_creation.toml (152:157, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml (57:62, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/discovery_pam_version_discovery.toml (136:141, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/macos/credential_access_kerberosdump_kcc.toml (102:107, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_directory_creation.toml (130:135, 5%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (60:65, 7%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (54:59, 8%) - rules_building_block/execution_github_repo_interaction_from_new_ip.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (66:71, 5%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_failures.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/execution_via_compiled_html_file.toml (163:168, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml (86:91, 3%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_installutil_beacon.toml (61:66, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (74:80, 8%) - rules_building_block/discovery_generic_registry_query.toml (65:71, 8%) 6 duplicated lines in: - rules/windows/execution_posh_psreflect.toml (100:105, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (102:107, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/discovery_kernel_unpacking.toml (46:51, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/macos/persistence_directory_services_plugins_modification.toml (99:104, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (40:45, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (125:130, 3%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (102:107, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml (51:56, 10%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml (134:140, 4%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml (70:76, 8%) - rules_building_block/defense_evasion_masquerading_browsers.toml (170:175, 3%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (105:110, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (96:101, 4%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml (69:74, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (24:29, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml (120:125, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (63:68, 6%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/persistence_ssh_key_generation.toml (93:98, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (114:119, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_compressed.toml (158:163, 3%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/lateral_movement_telnet_network_activity_external.toml (99:104, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml (19:24, 8%) - rules_building_block/discovery_windows_system_information_discovery.toml (28:33, 8%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/cross-platform/execution_revershell_via_shell_cmd.toml (90:95, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (102:107, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml (103:108, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (72:78, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/impact_stop_process_service_threshold.toml (12:17, 7%) - rules_building_block/discovery_system_service_discovery.toml (15:20, 10%) 6 duplicated lines in: - rules/network/command_and_control_accepted_default_telnet_port_connection.toml (97:102, 5%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (37:42, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/persistence_netsh_helper_dll.toml (72:78, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/collection_mailbox_export_winlog.toml (79:87, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (73:81, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/command_and_control_ip_forwarding_activity.toml (64:70, 7%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml (124:129, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (116:121, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml (96:101, 6%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (45:50, 11%) 6 duplicated lines in: - rules/windows/persistence_time_provider_mod.toml (89:94, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/promotions/credential_access_endgame_cred_dumping_detected.toml (74:79, 8%) - rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml (50:55, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (85:90, 5%) - rules_building_block/discovery_linux_system_owner_user_discovery.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml (150:155, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml (61:67, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (93:99, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (31:37, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_scrobj_load.toml (55:60, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml (115:120, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (100:105, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_kernel_module_removal.toml (132:137, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_evasion_rdp_shadowing.toml (99:106, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml (116:121, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/linux/execution_suspicious_executable_running_system_commands.toml (128:134, 5%) - rules_building_block/execution_github_new_event_action_for_pat.toml (46:52, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (82:88, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/persistence_udev_rule_creation.toml (49:54, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (132:137, 1%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/execution_abnormal_process_id_file_created.toml (149:155, 4%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (47:53, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_unusual_process.toml (115:120, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (93:98, 6%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml (94:99, 6%) - rules_building_block/execution_unsigned_service_executable.toml (60:65, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml (97:102, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml (95:100, 6%) - rules_building_block/defense_evasion_processes_with_trailing_spaces.toml (43:48, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (86:91, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_sessions.toml (41:46, 13%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_started_by_svchost.toml (105:110, 3%) - rules_building_block/execution_settingcontent_ms_file_creation.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation.toml (111:117, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml (69:74, 5%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (26:31, 12%) 6 duplicated lines in: - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml (104:109, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_certutil_commands.toml (115:120, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml (114:119, 4%) - rules_building_block/execution_wmi_wbemtest.toml (28:33, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (55:60, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (48:53, 5%) 6 duplicated lines in: - rules/linux/persistence_cron_job_creation.toml (228:234, 2%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml (105:110, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/integrations/azure/execution_command_virtual_machine.toml (84:89, 7%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_masquerading_vlc_dll.toml (64:69, 8%) 6 duplicated lines in: - rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml (146:152, 4%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (75:81, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick.toml (39:44, 7%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (25:30, 8%) 6 duplicated lines in: - rules/macos/execution_shell_execution_via_apple_scripting.toml (102:107, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml (83:89, 8%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (117:123, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml (65:70, 7%) - rules_building_block/lateral_movement_rdp_conn_unusual_process.toml (54:59, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_interactive_shell_from_system_user.toml (129:135, 5%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (77:83, 8%) 6 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (109:114, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_code_signing_policy_modification_registry.toml (95:100, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml (98:103, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (70:75, 7%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (129:134, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml (92:98, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml (99:104, 6%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (40:46, 15%) - rules_building_block/execution_linux_segfault.toml (58:64, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation.toml (75:80, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (41:46, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/persistence_group_modification_by_system.toml (92:97, 7%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:103, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml (98:103, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (98:103, 5%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_task_scripting.toml (71:76, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml (145:150, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (138:143, 3%) 6 duplicated lines in: - rules/windows/persistence_run_key_and_startup_broad.toml (306:313, 2%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml (133:138, 4%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/linux/persistence_dracut_module_creation.toml (79:84, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (50:55, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (89:94, 6%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (24:29, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (52:57, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (44:49, 8%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_process_discovery.toml (125:130, 5%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (41:46, 11%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/integrations/aws/initial_access_console_login_root.toml (95:100, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml (150:155, 4%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (52:57, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_powershell.toml (100:105, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (45:50, 5%) 6 duplicated lines in: - rules/ml/execution_ml_windows_anomalous_script.toml (109:114, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (136:141, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml (146:151, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (51:56, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (81:86, 7%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_linux_modprobe_enumeration.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml (152:157, 4%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/integrations/github/execution_github_app_deleted.toml (2:8, 9%) - rules_building_block/execution_github_repo_created.toml (3:9, 14%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/linux/execution_shell_via_udp_cli_utility_linux.toml (145:150, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/command_and_control_encrypted_channel_freesslcert.toml (62:67, 6%) - rules_building_block/command_and_control_certutil_network_connection.toml (137:142, 3%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/linux/persistence_site_and_user_customize_file_creation.toml (149:155, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml (110:115, 4%) - rules_building_block/discovery_net_view.toml (57:62, 6%) 6 duplicated lines in: - rules/linux/persistence_systemd_shell_execution.toml (111:117, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (41:46, 13%) - rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml (44:49, 9%) 6 duplicated lines in: - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml (65:70, 7%) - rules_building_block/discovery_posh_generic.toml (39:44, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml (59:64, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml (78:83, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/windows/credential_access_lsass_memdump_handle_access.toml (87:92, 3%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:60, 7%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_sudo_hijacking.toml (137:142, 4%) - rules_building_block/defense_evasion_dll_hijack.toml (84:89, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_regmod_remotemonologue.toml (26:31, 8%) - rules_building_block/defense_evasion_cmstp_execution.toml (31:36, 10%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_generic_process_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/privilege_escalation_installertakeover.toml (118:124, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (30:36, 6%) 6 duplicated lines in: - rules/windows/execution_via_hidden_shell_conhost.toml (120:125, 4%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (73:78, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml (105:112, 5%) - rules_building_block/credential_access_mdmp_file_creation.toml (79:86, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_posh_password_policy.toml (40:45, 5%) 6 duplicated lines in: - rules/windows/credential_access_suspicious_comsvcs_imageload.toml (155:160, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (66:71, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (38:43, 5%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (132:137, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (192:197, 3%) 6 duplicated lines in: - rules/windows/persistence_evasion_hidden_local_account_creation.toml (71:77, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_boot_file_copy.toml (145:150, 4%) - rules_building_block/execution_unsigned_service_executable.toml (56:61, 8%) 6 duplicated lines in: - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml (104:109, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_write_dac_access.toml (44:49, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (122:127, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (61:66, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_communication_apps.toml (21:26, 4%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/persistence_systemd_netcon.toml (133:139, 5%) - rules_building_block/collection_common_compressed_archived_file.toml (117:122, 5%) 6 duplicated lines in: - rules/linux/persistence_process_capability_set_via_setcap.toml (81:86, 6%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (55:60, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (39:44, 6%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/execution_from_unusual_path_cmdline.toml (254:259, 2%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (56:61, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml (67:72, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/persistence_credential_access_modify_ssh_binaries.toml (185:191, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (59:64, 5%) - rules_building_block/lateral_movement_unusual_process_sql_accounts.toml (26:31, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml (58:63, 5%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/persistence_shadow_file_modification.toml (48:53, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/persistence_appcertdlls_registry.toml (110:115, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml (110:115, 5%) - rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (195:201, 3%) - rules_building_block/discovery_capnetraw_capability.toml (78:84, 7%) 6 duplicated lines in: - rules/windows/command_and_control_tunnel_vscode.toml (20:25, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (20:25, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/impact_github_user_blocked_from_organization.toml (3:9, 14%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (40:45, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_masquerading_renamed_autoit.toml (103:108, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (29:34, 7%) 6 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (134:139, 4%) - rules_building_block/collection_common_compressed_archived_file.toml (121:126, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/impact_high_freq_file_renames_by_kernel.toml (98:103, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/collection_posh_compression.toml (130:135, 4%) 6 duplicated lines in: - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml (67:72, 6%) - rules_building_block/lateral_movement_at.toml (29:34, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (106:111, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/credential_access_persistence_network_logon_provider_modification.toml (147:154, 3%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_encryption.toml (59:65, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_injection_msbuild.toml (56:61, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (22:27, 6%) 6 duplicated lines in: - rules/windows/credential_access_posh_kerb_ticket_dump.toml (50:55, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml (157:162, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/linux/persistence_grub_makeconfig.toml (103:110, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (37:44, 12%) 6 duplicated lines in: - rules/linux/execution_shell_via_tcp_cli_utility_linux.toml (125:130, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml (71:76, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/_deprecated/execution_via_net_com_assemblies.toml (31:37, 13%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/linux/execution_python_webserver_spawned.toml (108:115, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml (91:96, 6%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/persistence_msi_installer_task_startup.toml (101:108, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (55:60, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (47:52, 5%) 6 duplicated lines in: - rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml (128:134, 4%) - rules_building_block/discovery_linux_sysctl_enumeration.toml (72:78, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (23:28, 3%) 6 duplicated lines in: - rules/windows/credential_access_disable_kerberos_preauth.toml (117:122, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_information_discovery.toml (125:130, 5%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (85:90, 5%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml (76:82, 6%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/network/command_and_control_halfbaked_beacon.toml (81:86, 7%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml (117:123, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (57:62, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/discovery_adfind_command_activity.toml (74:79, 4%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (159:167, 3%) - rules_building_block/persistence_transport_agent_exchange.toml (64:72, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml (68:73, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_file_creation.toml (96:102, 4%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/discovery_pspy_process_monitoring_detected.toml (100:106, 6%) - rules_building_block/discovery_generic_process_discovery.toml (54:59, 10%) 6 duplicated lines in: - rules/windows/discovery_group_policy_object_discovery.toml (64:69, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (55:60, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_create_mod_root_certificate.toml (78:83, 4%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml (84:89, 6%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (38:43, 7%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/linux/persistence_git_hook_process_execution.toml (142:147, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (141:147, 1%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (54:60, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/execution_enumeration_via_wmiprvse.toml (112:117, 4%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (94:99, 6%) 6 duplicated lines in: - rules/linux/execution_shell_via_background_process.toml (125:130, 5%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml (39:44, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_amsi_bypass_dllhijack.toml (103:108, 3%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (141:147, 1%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (52:58, 5%) 6 duplicated lines in: - rules/windows/lateral_movement_cmd_service.toml (59:64, 5%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (45:50, 5%) 6 duplicated lines in: - rules/windows/discovery_privileged_localgroup_membership.toml (111:116, 3%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (56:61, 6%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml (153:159, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (73:78, 7%) 6 duplicated lines in: - rules/linux/discovery_sudo_allowed_command_enumeration.toml (84:89, 6%) - rules_building_block/discovery_of_domain_groups.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (95:100, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_dynamic_linker_backup.toml (116:121, 3%) - rules_building_block/command_and_control_non_standard_http_port.toml (92:97, 4%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml (37:42, 7%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (54:59, 6%) 6 duplicated lines in: - rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml (90:95, 7%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_process_network_connection.toml (52:57, 6%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/_deprecated/initial_access_login_time.toml (29:34, 13%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (29:34, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml (146:151, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/persistence_local_scheduled_job_creation.toml (92:99, 6%) - rules_building_block/defense_evasion_outlook_suspicious_child.toml (68:75, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (172:177, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (53:58, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_assembly_load.toml (172:177, 3%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (65:70, 7%) 6 duplicated lines in: - rules/linux/persistence_kernel_driver_load.toml (110:115, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_process_discovery_via_builtin_tools.toml (19:24, 11%) 6 duplicated lines in: - rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml (73:79, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (96:102, 6%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (38:43, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (22:27, 9%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/linux/execution_shell_evasion_linux_binary.toml (127:132, 3%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_path_activity.toml (109:114, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/collection_posh_webcam_video_capture.toml (83:89, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/credential_access_wireless_creds_dumping.toml (141:146, 4%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (88:93, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml (39:44, 7%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/persistence_via_application_shimming.toml (66:71, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (22:27, 9%) 6 duplicated lines in: - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml (107:112, 5%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml (111:117, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/linux/discovery_kernel_seeking.toml (47:52, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/discovery_suid_sguid_enumeration.toml (49:54, 5%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/macos/persistence_docker_shortcuts_plist_modification.toml (103:108, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_linux_anomalous_user_name.toml (102:107, 6%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/privilege_escalation_via_rogue_named_pipe.toml (64:69, 6%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (49:54, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml (62:67, 6%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml (134:139, 4%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (76:81, 6%) 6 duplicated lines in: - rules/linux/execution_process_backgrounded_by_unusual_parent.toml (120:125, 4%) - rules_building_block/discovery_posh_password_policy.toml (106:111, 5%) 6 duplicated lines in: - rules/linux/defense_evasion_directory_creation_in_bin.toml (126:132, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/impact_github_pat_access_revoked.toml (3:9, 14%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_file_dir_tmp.toml (137:143, 4%) - rules_building_block/defense_evasion_download_susp_extension.toml (70:75, 7%) 6 duplicated lines in: - rules/windows/execution_command_prompt_connecting_to_the_internet.toml (140:145, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (114:119, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml (56:61, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/execution_posh_hacktool_functions.toml (328:336, 1%) - rules_building_block/persistence_transport_agent_exchange.toml (64:72, 5%) 6 duplicated lines in: - rules/linux/execution_process_started_from_process_id_file.toml (89:94, 6%) - rules_building_block/discovery_posh_generic.toml (294:299, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/lateral_movement_remote_services.toml (98:103, 3%) - rules_building_block/discovery_net_view.toml (40:45, 6%) 6 duplicated lines in: - rules/linux/execution_perl_tty_shell.toml (110:115, 6%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (105:110, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_unusual_process_extension.toml (20:25, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_disabling_windows_logs.toml (65:70, 5%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml (70:75, 8%) - rules_building_block/defense_evasion_unusual_process_extension.toml (64:69, 8%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (100:105, 5%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/linux/persistence_unusual_sshd_child_process.toml (88:94, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/credential_access_cmdline_dump_tool.toml (55:60, 4%) - rules_building_block/discovery_security_software_wmic.toml (48:53, 6%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml (71:76, 5%) - rules_building_block/discovery_post_exploitation_external_ip_lookup.toml (64:69, 4%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (84:89, 6%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml (38:43, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml (106:111, 5%) - rules_building_block/discovery_posh_password_policy.toml (39:44, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml (123:128, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_defender_disabled_via_registry.toml (64:69, 5%) - rules_building_block/defense_evasion_invalid_codesign_imageload.toml (22:27, 11%) 6 duplicated lines in: - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml (88:93, 6%) - rules_building_block/persistence_web_server_sus_file_creation.toml (124:129, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (26:31, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml (106:111, 4%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_download_susp_extension.toml (26:31, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml (104:109, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (37:42, 5%) 6 duplicated lines in: - rules/integrations/fim/persistence_suspicious_file_modifications.toml (45:50, 2%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_msxsl_network.toml (60:65, 7%) - rules_building_block/defense_evasion_unsigned_bits_client.toml (26:31, 10%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (122:127, 5%) - rules_building_block/defense_evasion_download_susp_extension.toml (62:67, 7%) 6 duplicated lines in: - rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml (130:136, 4%) - rules_building_block/persistence_github_new_pat_for_user.toml (51:57, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml (55:60, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (75:80, 7%) - rules_building_block/defense_evasion_services_exe_path.toml (49:54, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_mshta_beacon.toml (62:67, 7%) - rules_building_block/defense_evasion_download_susp_extension.toml (27:32, 7%) 6 duplicated lines in: - rules/linux/persistence_apt_package_manager_netcon.toml (141:146, 4%) - rules_building_block/persistence_transport_agent_exchange.toml (108:113, 5%) 6 duplicated lines in: - rules/linux/execution_process_started_in_shared_memory_directory.toml (116:121, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (107:112, 5%) 6 duplicated lines in: - rules/linux/persistence_extract_initramfs_via_cpio.toml (83:88, 5%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml (125:130, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (94:99, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml (22:27, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_services_exe_path.toml (28:33, 7%) 6 duplicated lines in: - rules/windows/persistence_via_wmi_stdregprov_run_services.toml (194:199, 3%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/execution_unusual_pkexec_execution.toml (120:125, 4%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (91:96, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_msiexec_child_proc_netcon.toml (61:66, 6%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml (41:46, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (85:90, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml (90:95, 5%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (59:64, 6%) - rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml (39:44, 6%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml (159:164, 3%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml (22:27, 10%) 6 duplicated lines in: - rules/windows/collection_winrar_encryption.toml (51:56, 5%) - rules_building_block/discovery_remote_system_discovery_commands_windows.toml (39:44, 6%) 6 duplicated lines in: - rules/windows/initial_access_execution_from_inetcache.toml (95:102, 5%) - rules_building_block/defense_evasion_masquerading_browsers.toml (165:172, 3%) 6 duplicated lines in: - rules/windows/persistence_adobe_hijack_persistence.toml (107:112, 4%) - rules_building_block/lateral_movement_posh_winrm_activity.toml (44:49, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_unusual_process_extension.toml (19:24, 8%) 6 duplicated lines in: - rules/windows/credential_access_posh_request_ticket.toml (84:90, 5%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml (103:108, 4%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (44:49, 5%) 6 duplicated lines in: - rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml (89:94, 4%) - rules_building_block/persistence_creation_of_kernel_module.toml (19:24, 12%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_concat.toml (37:42, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/linux/discovery_suspicious_which_command_execution.toml (55:60, 7%) - rules_building_block/discovery_linux_system_information_discovery.toml (19:24, 12%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/command_and_control_iexplore_via_com.toml (90:95, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (129:134, 4%) 6 duplicated lines in: - rules/macos/persistence_finder_sync_plugin_pluginkit.toml (103:108, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_ntlm_downgrade.toml (26:31, 7%) - rules_building_block/defense_evasion_installutil_command_activity.toml (30:35, 10%) 6 duplicated lines in: - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml (105:110, 5%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/macos/persistence_creation_hidden_login_item_osascript.toml (98:103, 5%) - rules_building_block/persistence_startup_folder_lnk.toml (49:54, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml (133:138, 4%) - rules_building_block/command_and_control_bitsadmin_activity.toml (78:83, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_unusual_ads_file_creation.toml (109:114, 3%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/linux/defense_evasion_dynamic_linker_file_creation.toml (135:141, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml (74:80, 8%) - rules_building_block/initial_access_github_new_user_agent_for_pat.toml (51:57, 11%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_ip_address_for_pat.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/discovery_dynamic_linker_via_od.toml (89:94, 5%) - rules_building_block/discovery_potential_memory_seeking_activity.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:113, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (64:69, 7%) 6 duplicated lines in: - rules/windows/privilege_escalation_unquoted_service_path.toml (76:82, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (32:38, 3%) 6 duplicated lines in: - rules/linux/persistence_polkit_policy_creation.toml (108:113, 5%) - rules_building_block/defense_evasion_service_path_registry.toml (81:86, 7%) 6 duplicated lines in: - rules/linux/discovery_yum_dnf_plugin_detection.toml (85:90, 5%) - rules_building_block/discovery_getconf_execution.toml (24:29, 12%) 6 duplicated lines in: - rules/linux/command_and_control_cat_network_activity.toml (168:173, 4%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/linux/execution_potential_hack_tool_executed.toml (83:88, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (45:50, 8%) 6 duplicated lines in: - rules/windows/persistence_msoffice_startup_registry.toml (98:103, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml (116:121, 4%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml (119:125, 5%) - rules_building_block/collection_posh_compression.toml (118:123, 4%) 6 duplicated lines in: - rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml (115:120, 4%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/discovery_admin_recon.toml (60:65, 5%) - rules_building_block/discovery_net_share_discovery_winlog.toml (22:27, 10%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (93:99, 6%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (70:76, 8%) 6 duplicated lines in: - rules/linux/discovery_ping_sweep_detected.toml (48:53, 6%) - rules_building_block/discovery_capnetraw_capability.toml (52:57, 7%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (73:79, 6%) - rules_building_block/defense_evasion_service_disabled_registry.toml (31:37, 9%) 6 duplicated lines in: - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml (113:118, 5%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (60:65, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_string_format.toml (38:43, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml (79:85, 8%) - rules_building_block/discovery_kernel_module_enumeration_via_proc.toml (70:76, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_event_logs.toml (63:68, 5%) - rules_building_block/defense_evasion_unusual_process_path_wbem.toml (25:30, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml (93:98, 6%) - rules_building_block/persistence_github_new_pat_for_user.toml (38:43, 11%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (61:66, 7%) 6 duplicated lines in: - rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml (87:93, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (78:83, 7%) 6 duplicated lines in: - rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml (128:134, 5%) - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (73:79, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml (33:38, 3%) - rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml (23:28, 9%) 6 duplicated lines in: - rules/linux/persistence_ssh_via_backdoored_system_user.toml (114:120, 5%) - rules_building_block/defense_evasion_services_exe_path.toml (74:79, 7%) 6 duplicated lines in: - rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml (36:41, 15%) - rules_building_block/defense_evasion_posh_defender_tampering.toml (87:92, 6%) 6 duplicated lines in: - rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml (154:160, 4%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (46:52, 12%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_linux.toml (102:107, 4%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/linux/command_and_control_linux_kworker_netcon.toml (131:137, 4%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_dns_over_https_enabled.toml (65:70, 6%) - rules_building_block/defense_evasion_cmstp_execution.toml (30:35, 10%) 6 duplicated lines in: - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml (121:126, 5%) - rules_building_block/initial_access_github_new_user_agent_for_user.toml (37:42, 11%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml (25:30, 12%) 6 duplicated lines in: - rules/windows/persistence_werfault_reflectdebugger.toml (73:79, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (32:38, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/windows/command_and_control_ingress_transfer_bits.toml (116:121, 4%) - rules_building_block/defense_evasion_suspicious_msiexec_execution.toml (26:31, 8%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml (38:43, 7%) - rules_building_block/defense_evasion_file_permission_modification.toml (22:27, 10%) 6 duplicated lines in: - rules/ml/persistence_ml_rare_process_by_host_windows.toml (159:164, 3%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/linux/persistence_ssh_netcon.toml (103:109, 5%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/discovery_command_system_account.toml (56:61, 6%) - rules_building_block/collection_posh_compression.toml (39:44, 4%) 6 duplicated lines in: - rules/linux/discovery_private_key_password_searching_activity.toml (93:99, 6%) - rules_building_block/command_and_control_non_standard_http_port.toml (116:122, 4%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (88:94, 3%) - rules_building_block/discovery_posh_generic.toml (49:55, 2%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml (39:44, 6%) - rules_building_block/defense_evasion_service_path_registry.toml (22:27, 7%) 6 duplicated lines in: - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml (72:77, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_generic_deletion.toml (22:27, 9%) 6 duplicated lines in: - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml (25:30, 6%) - rules_building_block/discovery_hosts_file_access.toml (22:27, 12%) 6 duplicated lines in: - rules/windows/execution_posh_malicious_script_agg.toml (82:87, 5%) - rules_building_block/command_and_control_certutil_network_connection.toml (121:126, 3%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (2:8, 8%) - rules_building_block/execution_github_new_repo_interaction_for_user.toml (3:9, 12%) 6 duplicated lines in: - rules/macos/persistence_folder_action_scripts_runtime.toml (114:119, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (102:107, 5%) 6 duplicated lines in: - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml (89:94, 6%) - rules_building_block/defense_evasion_masquerading_browsers.toml (188:193, 3%) 6 duplicated lines in: - rules/ml/ml_windows_anomalous_network_activity.toml (80:85, 7%) - rules_building_block/defense_evasion_write_dac_access.toml (43:48, 8%) 6 duplicated lines in: - rules/linux/defense_evasion_creation_of_hidden_files_directories.toml (61:66, 7%) - rules_building_block/discovery_hosts_file_access.toml (22:27, 12%) 6 duplicated lines in: - rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml (54:59, 8%) - rules_building_block/execution_github_new_repo_interaction_for_pat.toml (19:24, 12%) 6 duplicated lines in: - rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml (85:90, 6%) - rules_building_block/lateral_movement_at.toml (47:52, 8%) 6 duplicated lines in: - rules/windows/discovery_whoami_command_activity.toml (66:71, 5%) - rules_building_block/discovery_generic_registry_query.toml (23:28, 8%) 6 duplicated lines in: - rules/ml/persistence_ml_windows_anomalous_service.toml (107:112, 5%) - rules_building_block/defense_evasion_powershell_clear_logs_script.toml (43:48, 5%) 6 duplicated lines in: - rules/windows/discovery_peripheral_device.toml (59:64, 7%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_wsl_bash_exec.toml (112:117, 5%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (92:97, 6%) 6 duplicated lines in: - rules/windows/defense_evasion_suspicious_short_program_name.toml (102:107, 5%) - rules_building_block/defense_evasion_service_disabled_registry.toml (23:28, 9%) 6 duplicated lines in: - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml (127:132, 5%) - rules_building_block/persistence_transport_agent_exchange.toml (112:117, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml (38:43, 6%) - rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml (29:34, 9%) 6 duplicated lines in: - rules/windows/persistence_temp_scheduled_task.toml (88:93, 6%) - rules_building_block/persistence_iam_instance_request_to_iam_service.toml (113:118, 5%) 6 duplicated lines in: - rules/windows/defense_evasion_clearing_windows_security_logs.toml (51:56, 8%) - rules_building_block/defense_evasion_dll_hijack.toml (23:28, 6%) 6 duplicated lines in: - rules/linux/defense_evasion_hidden_shared_object.toml (95:100, 5%) - rules_building_block/persistence_web_server_sus_file_creation.toml (48:53, 5%) 6 duplicated lines in: - rules/windows/discovery_posh_suspicious_api_functions.toml (78:83, 3%) - rules_building_block/discovery_system_time_discovery.toml (28:33, 10%) 6 duplicated lines in: - rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml (69:74, 6%) - rules_building_block/discovery_internet_capabilities.toml (23:28, 10%) 6 duplicated lines in: - rules/windows/defense_evasion_cve_2020_0601.toml (54:59, 8%) - rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml (28:33, 6%) 6 duplicated lines in: - rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml (89:95, 7%) - rules_building_block/initial_access_github_new_ip_address_for_user.toml (50:56, 11%) 6 duplicated lines in: - rules/windows/execution_command_shell_via_rundll32.toml (110:115, 5%) - rules_building_block/credential_access_win_private_key_access.toml (75:80, 7%) 6 duplicated lines in: - rules/linux/execution_executable_stack_execution.toml (40:45, 6%) - rules_building_block/discovery_capnetraw_capability.toml (50:55, 7%) 6 duplicated lines in: - rules/windows/defense_evasion_disable_nla.toml (65:70, 6%) - rules_building_block/defense_evasion_injection_from_msoffice.toml (23:28, 7%) 6 duplicated lines in: - rules/macos/privilege_escalation_applescript_with_admin_privs.toml (112:117, 5%) - rules_building_block/defense_evasion_cmd_copy_binary_contents.toml (61:66, 8%)