Path	Lines of Code
behavior/rules/cross-platform/defense_evasion_kill_command_executed_from_a_hidden_process.toml	60
behavior/rules/cross-platform/defense_evasion_tampering_of_bash_command_line_history.toml	51
behavior/rules/cross-platform/execution_eggshell_backdoor_execution.toml	34
behavior/rules/cross-platform/execution_empire_stager_execution.toml	56
behavior/rules/cross-platform/execution_kill_command_executed_from_binary_in_unusual_location.toml	61
behavior/rules/cross-platform/execution_potential_reverse_shell_activity_via_terminal.toml	59
behavior/rules/cross-platform/execution_privilege_escalation_enumeration_via_linpeas.toml	41
behavior/rules/cross-platform/impact_darkradiation_ransomware_infection.toml	42
behavior/rules/cross-platform/impact_suspicious_recursive_file_deletion_via_built_in_utilities.toml	47
behavior/rules/cross-platform/persistence_potential_persistence_via_direct_crontab_modification.toml	81
behavior/rules/cross-platform/privilege_escalation_sudo_heap_based_buffer_overflow_attempt.toml	57
behavior/rules/linux/command_and_control_curl_socks_proxy_activity_from_unusual_parent.toml	50
behavior/rules/linux/command_and_control_egress_network_connection_followed_by_command_execution.toml	83
behavior/rules/linux/command_and_control_file_downloaded_via_curl_or_wget_to_hidden_directory.toml	63
behavior/rules/linux/command_and_control_hidden_executable_initiated_egress_network_connection.toml	49
behavior/rules/linux/command_and_control_hidden_process_execution_followed_by_network_connection.toml	48
behavior/rules/linux/command_and_control_network_activity_detected_via_cat.toml	52
behavior/rules/linux/command_and_control_network_connection_by_foomatic_rip_child.toml	65
behavior/rules/linux/command_and_control_network_connection_followed_by_file_creation.toml	83
behavior/rules/linux/command_and_control_potential_multi_architecture_file_downloads.toml	56
behavior/rules/linux/command_and_control_potential_vsingle_malware_infection.toml	36
behavior/rules/linux/command_and_control_python_network_connection_followed_by_command_execution.toml	91
behavior/rules/linux/command_and_control_python_network_connection_followed_by_file_creation.toml	86
behavior/rules/linux/credential_access_linux_init_(pid_1)_secret_dump_via_gdb.toml	38
behavior/rules/linux/credential_access_manual_memory_password_searching_activity.toml	41
behavior/rules/linux/credential_access_potential_linux_credential_dumping_via_proc_filesystem.toml	44
behavior/rules/linux/credential_access_potential_linux_credential_dumping_via_unshadow.toml	39
behavior/rules/linux/defense_evasion_auditctl_disabled_via_shell_process.toml	41
behavior/rules/linux/defense_evasion_base64_or_xxd_decode_argument_evasion.toml	66
behavior/rules/linux/defense_evasion_base64_shebang_payload_decoded_via_built_in_utility.toml	81
behavior/rules/linux/defense_evasion_binary_executed_from_shared_memory_directory.toml	42
behavior/rules/linux/defense_evasion_chattr_execution_from_unusual_parent.toml	45
behavior/rules/linux/defense_evasion_chattr_execution_with_unusual_target_file.toml	71
behavior/rules/linux/defense_evasion_cron(d)_service_started_by_unusual_parent.toml	71
behavior/rules/linux/defense_evasion_curl_or_wget_egress_network_connection_via_lolbin.toml	108
behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml	48
behavior/rules/linux/defense_evasion_defense_evasion_via_hidepid_mount.toml	52
behavior/rules/linux/defense_evasion_egress_network_connection_from_deleted_executable.toml	60
behavior/rules/linux/defense_evasion_execution_of_in_memory_file_via_interactive_session.toml	63
behavior/rules/linux/defense_evasion_global_dynamic_linker_file_copied.toml	73
behavior/rules/linux/defense_evasion_linux_base64_descendant_egress_network_connection.toml	82
behavior/rules/linux/defense_evasion_linux_compilation_in_suspicious_directory.toml	40
behavior/rules/linux/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml	46
behavior/rules/linux/defense_evasion_linux_hidden_file_mounted.toml	50
behavior/rules/linux/defense_evasion_linux_payload_decoded_and_decrypted_via_built_in_utility.toml	84
behavior/rules/linux/defense_evasion_linux_shared_object_load_via_ssh_keygen.toml	39
behavior/rules/linux/defense_evasion_network_activity_from_in_memory_file.toml	67
behavior/rules/linux/defense_evasion_potential_masquerading_via__proc_self_exe.toml	36
behavior/rules/linux/defense_evasion_potential_nologin_ssh_backdoor.toml	40
behavior/rules/linux/defense_evasion_potential_process_injection_via_dd.toml	54
behavior/rules/linux/defense_evasion_potential_process_masquerading_via_exec.toml	68
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_crash.toml	52
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_php.toml	68
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_pidstat.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_run_parts.toml	75
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_sed.toml	55
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_split.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_sysctl.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_systemd_run.toml	70
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_tcpdump.toml	53
behavior/rules/linux/defense_evasion_process_masquerading_as_kernel_process.toml	57
behavior/rules/linux/defense_evasion_process_path_symbolic_link_manipulation.toml	37
behavior/rules/linux/defense_evasion_proxy_shell_execution_via_busybox.toml	54
behavior/rules/linux/defense_evasion_shared_object_file_creation_and_immediate_preload.toml	77
behavior/rules/linux/defense_evasion_shared_object_injection_via_process_environment_variable.toml	114
behavior/rules/linux/defense_evasion_shared_object_load_via_lolbin.toml	71
behavior/rules/linux/defense_evasion_shell_command_execution_via_kworker.toml	55
behavior/rules/linux/defense_evasion_shell_execution_of_non_executable_file.toml	52
behavior/rules/linux/defense_evasion_suspicious_base64_string_command_line.toml	94
behavior/rules/linux/defense_evasion_system_binary_preload_and_immediate_network_connection.toml	70
behavior/rules/linux/defense_evasion_system_binary_proxy_execution_via_ld.so.toml	55
behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml	68
behavior/rules/linux/discovery_linux_external_ip_address_discovery_via_curl.toml	62
behavior/rules/linux/execution_bind_shell_via_netcat_traditional.toml	53
behavior/rules/linux/execution_bind_shell_via_node.toml	51
behavior/rules/linux/execution_bind_shell_via_socket.toml	51
behavior/rules/linux/execution_file_creation_by_foomatic_rip_child.toml	51
behavior/rules/linux/execution_foomatic_rip_shell_execution.toml	51
behavior/rules/linux/execution_interactive_shell_spawned_via_hidden_process.toml	50
behavior/rules/linux/execution_linux_background_process_execution_via_shell.toml	42
behavior/rules/linux/execution_linux_hidden_folder_or_file_execution_via_python.toml	43
behavior/rules/linux/execution_linux_powershell_egress_network_connection.toml	81
behavior/rules/linux/execution_linux_powershell_encoded_command.toml	48
behavior/rules/linux/execution_linux_powershell_suspicious_child_process.toml	43
behavior/rules/linux/execution_linux_reverse_shell.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_child.toml	53
behavior/rules/linux/execution_linux_reverse_shell_via_netcat.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_setsid_and_nohup.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_suspicious_utility.toml	79
behavior/rules/linux/execution_linux_suspicious_child_process_execution_via_interactive_shell.toml	57
behavior/rules/linux/execution_netcat_reverse_shell_via_busybox.toml	72
behavior/rules/linux/execution_potential_gsocket_activity.toml	58
behavior/rules/linux/execution_potential_linux_hack_tool_launched.toml	44
behavior/rules/linux/execution_potential_linux_reverse_shell_via_java.toml	81
behavior/rules/linux/execution_potential_reverse_shell_via_named_pipe.toml	84
behavior/rules/linux/execution_printer_user_(lp)_shell_execution.toml	53
behavior/rules/linux/execution_renice_or_ulimit_execution_from_unusual_parent.toml	51
behavior/rules/linux/execution_reverse_or_bind_shell_via_suspicious_utility.toml	58
behavior/rules/linux/execution_reverse_shell_via_networkmanager_dispatcher_script.toml	64
behavior/rules/linux/execution_script_executed_through_unusual_parent_process.toml	56
behavior/rules/linux/execution_shell_via_networkmanager_dispatcher_script.toml	51
behavior/rules/linux/execution_suspicious_command_execution_via_busybox_proxy.toml	73
behavior/rules/linux/execution_suspicious_d_bus_method_call.toml	55
behavior/rules/linux/execution_suspicious_execution_from_foomatic_rip_or_cupsd_parent.toml	68
behavior/rules/linux/execution_suspicious_execution_via_a_hidden_process.toml	63
behavior/rules/linux/execution_suspicious_execution_via_setsid_and_nohup.toml	50
behavior/rules/linux/execution_suspicious_mining_process_events.toml	46
behavior/rules/linux/execution_unusual_execution_from__dev_parent.toml	47
behavior/rules/linux/execution_user_discovery_command_execution_from_shared_memory.toml	47
behavior/rules/linux/impact_msr_write_access_enabled.toml	53
behavior/rules/linux/impact_potential_coin_miner_execution.toml	72
behavior/rules/linux/impact_potential_coin_miner_execution_via_shell.toml	68
behavior/rules/linux/impact_potential_mining_pool_command_detection.toml	73
behavior/rules/linux/initial_access_remote_code_execution_via_confluence_ognl_injection.toml	41
behavior/rules/linux/lateral_movement_potential_ssh_it_ssh_worm_downloaded.toml	48
behavior/rules/linux/persistence_apt_package_manager_command_execution.toml	93
behavior/rules/linux/persistence_apt_package_manager_egress_network_connection.toml	90
behavior/rules/linux/persistence_at_utility_launched_through_udevadm.toml	62
behavior/rules/linux/persistence_binary_execution_from_unusual_location_through_shell_profile.toml	62
behavior/rules/linux/persistence_decode_activity_via_web_server.toml	108
behavior/rules/linux/persistence_egress_connection_by_a_dnf_package_manager_descendant.toml	92
behavior/rules/linux/persistence_egress_connection_by_a_yum_package_manager_descendant.toml	81
behavior/rules/linux/persistence_egress_network_connection_by_motd_child.toml	80
behavior/rules/linux/persistence_egress_network_connection_from_default_dpkg_directory.toml	96
behavior/rules/linux/persistence_egress_network_connection_from_rpm_package.toml	99
behavior/rules/linux/persistence_file_downloaded_and_piped_to_interpreter_by_web_server.toml	80
behavior/rules/linux/persistence_file_downloaded_from_suspicious_source_by_web_server.toml	82
behavior/rules/linux/persistence_file_downloaded_to_suspicious_location_by_web_server.toml	90
behavior/rules/linux/persistence_hidden_payload_executed_via_scheduled_job.toml	121
behavior/rules/linux/persistence_linux_backdoor_network_access_via_unusual_process.toml	57
behavior/rules/linux/persistence_motd_execution_followed_by_egress_network_connection.toml	90
behavior/rules/linux/persistence_network_connection_through_shell_profile.toml	89
behavior/rules/linux/persistence_potential_web_server_directory_traversal.toml	82
behavior/rules/linux/persistence_reverse_shell_executed_via_web_server.toml	91
behavior/rules/linux/persistence_scheduled_job_executing_binary_in_unusual_location.toml	91
behavior/rules/linux/persistence_scheduled_task_unusual_command_execution.toml	115
behavior/rules/linux/persistence_suspicious_download_and_redirect_by_web_server.toml	92
behavior/rules/linux/persistence_suspicious_echo_execution.toml	165
behavior/rules/linux/persistence_suspicious_file_creation_via_web_server.toml	94
behavior/rules/linux/persistence_suspicious_message_of_the_day_execution.toml	68
behavior/rules/linux/persistence_suspicious_process_spawned_from_motd_detected.toml	64
behavior/rules/linux/persistence_system_v_init_(init.d)_egress_network_connection.toml	66
behavior/rules/linux/persistence_system_v_init_(init.d)_executed_binary_from_unusual_location.toml	46
behavior/rules/linux/persistence_systemd_execution_followed_by_network_connection.toml	113
behavior/rules/linux/persistence_udev_execution_followed_by_egress_network_connection.toml	86
behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml	119
behavior/rules/linux/privilege_escalation_cve_2023_0386_exploitation_attempt.toml	41
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_cve_2023_4911.toml	37
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_fuse_binary.toml	38
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_overlayfs.toml	39
behavior/rules/linux/privilege_escalation_potential_sudo_privilege_escalation_via_cve_2019_14287.toml	34
behavior/rules/linux/privilege_escalation_privilege_escalation_via_pkexec_exploitation.toml	40
behavior/rules/linux/privilege_escalation_privilege_escalation_via_polkit_system_service.toml	49
behavior/rules/macos/collection_clipboard_accessed_by_unsigned_or_untrusted_binary.toml	41
behavior/rules/macos/collection_discovery_result_written_to_a_suspicious_file_via_discovery_process.toml	54
behavior/rules/macos/collection_exfiltration_data_staging_in_temporary_directory_via_osascript.toml	40
behavior/rules/macos/collection_pbpaste_execution_via_unusual_parent.toml	37
behavior/rules/macos/collection_potential_data_collection_in_temporary_directory_by_hidden_executable.toml	45
behavior/rules/macos/collection_sensitive_file_access_followed_by_compression.toml	55
behavior/rules/macos/collection_suspicious_archive_creation_via_ditto.toml	49
behavior/rules/macos/collection_suspicious_image_creation_via_screencapture.toml	49
behavior/rules/macos/command_and_control_curl_download_and_osascript_payload_execution_via_node.toml	44
behavior/rules/macos/command_and_control_curl_executable_file_download_via_osascript.toml	37
behavior/rules/macos/command_and_control_curl_execution_via_apple_installer_package.toml	40
behavior/rules/macos/command_and_control_curl_execution_via_application_shell_script.toml	54
behavior/rules/macos/command_and_control_curl_execution_via_automator_application.toml	42
behavior/rules/macos/command_and_control_curl_execution_via_commandline_shell_script.toml	49
behavior/rules/macos/command_and_control_curl_execution_via_env_binary.toml	42
behavior/rules/macos/command_and_control_curl_from_volume_mount.toml	41
behavior/rules/macos/command_and_control_curl_local_file_read_or_write_via_osascript.toml	35
behavior/rules/macos/command_and_control_curl_to_ftp_server_via_raw_ip.toml	34
behavior/rules/macos/command_and_control_curl_to_suspicious_top_level_domain.toml	51
behavior/rules/macos/command_and_control_curl_to_telegram_api.toml	43
behavior/rules/macos/command_and_control_executable_file_access_or_modification_via_osascript.toml	33
behavior/rules/macos/command_and_control_hidden_file_network_connection_and_executable_download.toml	38
behavior/rules/macos/command_and_control_network_connection_to_oast_domain_via_package_service_or_script.toml	39
behavior/rules/macos/command_and_control_osascript_download_cradle_spawned.toml	44
behavior/rules/macos/command_and_control_osascript_payload_drop_and_execute.toml	45
behavior/rules/macos/command_and_control_potential_payload_download_via_applescript_applet.toml	59
behavior/rules/macos/command_and_control_potential_wizardupdate_malware_infection.toml	36
behavior/rules/macos/command_and_control_potential_xcsset_malware_infection.toml	36
behavior/rules/macos/command_and_control_python_outbound_network_connection_over_ftp.toml	40
behavior/rules/macos/command_and_control_shlayer_malware_infection.toml	42
behavior/rules/macos/command_and_control_suspicious_archive_file_download_via_curl.toml	50
behavior/rules/macos/command_and_control_suspicious_binary_aws_s3_connection.toml	41
behavior/rules/macos/command_and_control_suspicious_curl_file_download_from_raw_ip.toml	45
behavior/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml	48
behavior/rules/macos/command_and_control_suspicious_curl_to_google_app_script_endpoint.toml	40
behavior/rules/macos/command_and_control_suspicious_curl_to_oast_domain.toml	37
behavior/rules/macos/command_and_control_suspicious_executable_download_via_curl.toml	37
behavior/rules/macos/command_and_control_suspicious_executable_download_via_ruby.toml	43
behavior/rules/macos/command_and_control_suspicious_file_download_via_google_drive.toml	62
behavior/rules/macos/command_and_control_suspicious_hidden_executable_and_immediate_network_connection.toml	45
behavior/rules/macos/command_and_control_suspicious_network_connection_to_gmail_via_nodejs.toml	58
behavior/rules/macos/command_and_control_suspicious_url_as_argument_to_self_signed_binary.toml	48
behavior/rules/macos/command_and_control_suspicious_vscode_extension_child_process.toml	41
behavior/rules/macos/command_and_control_url_as_argument_to_python_script_and_immediate_network_connection.toml	49
behavior/rules/macos/command_and_control_url_as_process_argument_via_installer_package.toml	49
behavior/rules/macos/credential_access_cloud_credential_files_accessed_by_osascript.toml	41
behavior/rules/macos/credential_access_cloud_credential_files_accessed_by_process_in_suspicious_directory.toml	63
behavior/rules/macos/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml	62
behavior/rules/macos/credential_access_crypto_wallet_file_access_via_commandline.toml	61
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_nodejs.toml	66
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_osascript.toml	65
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_python.toml	65
behavior/rules/macos/credential_access_dumping_account_hashes_via_built_in_commands.toml	37
behavior/rules/macos/credential_access_kerberos_config_file_accessed_by_osascript.toml	37
behavior/rules/macos/credential_access_kerberos_config_file_accessed_by_untrusted_or_unsigned_process.toml	38
behavior/rules/macos/credential_access_keychain_credential_files_collected_via_archive_utility.toml	71
behavior/rules/macos/credential_access_keychain_dump_via_native_security_tool.toml	50
behavior/rules/macos/credential_access_potential_access_to_kerberos_cached_credentials.toml	41
behavior/rules/macos/credential_access_potential_credentials_phishing_via_osascript.toml	54
behavior/rules/macos/credential_access_slack_workspace_files_accessed_by_osascript.toml	45
behavior/rules/macos/credential_access_slack_workspace_files_accessed_by_unsigned_or_untrusted_process.toml	45
behavior/rules/macos/credential_access_ssh_keys_accessed_by_osascript.toml	40
behavior/rules/macos/credential_access_suspicious_user_keychain_access_via_nodejs.toml	48
behavior/rules/macos/credential_access_suspicious_user_keychain_db_access_by_unsigned_binary.toml	42
behavior/rules/macos/credential_access_systemkey_access_via_command_line.toml	43
behavior/rules/macos/credential_access_telegram_data_accessed_by_osascript.toml	41
behavior/rules/macos/credential_access_telegram_data_accessed_by_unsigned_or_untrusted_process.toml	41
behavior/rules/macos/credential_access_user_keychain_access_in_unusual_location.toml	44
behavior/rules/macos/credential_access_user_keychain_copied_via_shell_interpreter.toml	44
behavior/rules/macos/credential_access_user_keychain_db_access_by_osascript.toml	39
behavior/rules/macos/credential_access_user_keychain_db_access_by_self_signed_binary.toml	51
behavior/rules/macos/credential_access_web_browser_credential_data_accessed_by_osascript.toml	45
behavior/rules/macos/credential_access_web_browser_credential_data_accessed_by_unsigned_or_untrusted_process.toml	48
behavior/rules/macos/credential_access_web_browsers_password_access_via_command_line.toml	46
behavior/rules/macos/defense_evasion_applescript_decoded_via_base64.toml	43
behavior/rules/macos/defense_evasion_base64_encoded_string_execution_via_osascript.toml	59
behavior/rules/macos/defense_evasion_decoded_or_decrypted_payload_written_to_suspicious_directory.toml	94
behavior/rules/macos/defense_evasion_dylib_injection_via_process_environment_variables.toml	100
behavior/rules/macos/defense_evasion_dylib_load_via_ssh_keygen.toml	32
behavior/rules/macos/defense_evasion_dylib_loaded_by_process_in_suspicious_location.toml	51
behavior/rules/macos/defense_evasion_elastic_endpoint_security_kernel_extension_unload.toml	51
behavior/rules/macos/defense_evasion_embedded_payload_dropped_and_executed.toml	44
behavior/rules/macos/defense_evasion_executable_file_creation_via_base64.toml	44
behavior/rules/macos/defense_evasion_execution_of_a_file_dropped_by_openssl.toml	53
behavior/rules/macos/defense_evasion_execution_of_hidden_file_from_the_shared_directory.toml	46
behavior/rules/macos/defense_evasion_execution_of_non_executable_file_via_shell.toml	53
behavior/rules/macos/defense_evasion_file_hidden_via_chflags.toml	39
behavior/rules/macos/defense_evasion_file_hidden_via_setfile.toml	44
behavior/rules/macos/defense_evasion_file_made_executable_via_package_install_script.toml	63
behavior/rules/macos/defense_evasion_in_memory_jxa_execution_via_scriptingadditions.toml	50
behavior/rules/macos/defense_evasion_killall_execution_via_python.toml	32
behavior/rules/macos/defense_evasion_launchpad_hijack.toml	56
behavior/rules/macos/defense_evasion_mach_o_file_with_unusual_extension.toml	46
behavior/rules/macos/defense_evasion_macos_hidden_file_mounted.toml	50
behavior/rules/macos/defense_evasion_modification_of_safari_settings_via_defaults_command.toml	38
behavior/rules/macos/defense_evasion_network_file_unzipped_via_unsigned_or_untrusted_binary.toml	56
behavior/rules/macos/defense_evasion_notificationcenter_silenced_via_killall_binary.toml	45
behavior/rules/macos/defense_evasion_operating_system_security_updates_disabled.toml	39
behavior/rules/macos/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml	70
behavior/rules/macos/defense_evasion_potential_binary_masquerading_via_invalid_code_signature.toml	51
behavior/rules/macos/defense_evasion_potential_masquerading_as_system_binary.toml	55
behavior/rules/macos/defense_evasion_potential_privacy_control_bypass_via_localhost_secure_copy.toml	48
behavior/rules/macos/defense_evasion_potential_tcc_bypass_via_electron_web_inspector_api.toml	44
behavior/rules/macos/defense_evasion_quarantine_attribute_deleted_via_untrusted_binary.toml	51
behavior/rules/macos/defense_evasion_quarantine_attribute_removal_via_textedit.toml	52
behavior/rules/macos/defense_evasion_quarantine_attribute_removed_by_unsigned_or_unstrusted_process.toml	55
behavior/rules/macos/defense_evasion_reading_or_modifying_downloaded_files_database_via_sqlite_utility.toml	31
behavior/rules/macos/defense_evasion_reflective_dylib_load.toml	73
behavior/rules/macos/defense_evasion_suspicious_deobfuscation_via_shell_script.toml	43
behavior/rules/macos/defense_evasion_suspicious_dmg_file_creation_in_tmp_directory.toml	53
behavior/rules/macos/defense_evasion_suspicious_executable_copied_from_volume_mount.toml	47
behavior/rules/macos/defense_evasion_suspicious_file_attribute_clearing.toml	44
behavior/rules/macos/defense_evasion_suspicious_file_overwrite_and_modification_via_echo.toml	69
behavior/rules/macos/defense_evasion_suspicious_file_quarantine_removal_via_find.toml	44
behavior/rules/macos/defense_evasion_suspicious_finder_cache_file_modification.toml	38
behavior/rules/macos/defense_evasion_suspicious_macos_application_hidden_executable_file.toml	41
behavior/rules/macos/defense_evasion_suspicious_openssl_execution_via_macos_application.toml	74
behavior/rules/macos/defense_evasion_suspicious_stop_of_tccd_via_launchctl.toml	54
behavior/rules/macos/defense_evasion_suspicious_task_for_pid_system_call.toml	62
behavior/rules/macos/defense_evasion_suspicious_unload_of_elastic_agent_via_launchctl.toml	74
behavior/rules/macos/defense_evasion_tccutil_reset_via_suspicious_binary.toml	41
behavior/rules/macos/defense_evasion_terminal_closed_with_pkill_or_killall.toml	45
behavior/rules/macos/defense_evasion_terminal_window_hidden_or_closed_via_osascript.toml	42
behavior/rules/macos/defense_evasion_unsigned_or_untrusted_process_execution_and_immediate_self_deletion.toml	44
behavior/rules/macos/defense_evasion_unusual_dylib_load_from_users_shared_directory.toml	37
behavior/rules/macos/discovery_external_ip_address_discovery_via_curl.toml	93
behavior/rules/macos/discovery_potential_virtual_machine_fingerprinting_via_grep.toml	46
behavior/rules/macos/discovery_security_software_discovery_via_grep.toml	66
behavior/rules/macos/discovery_suspicious_sip_check_by_macos_application.toml	49
behavior/rules/macos/execution_abnormal_auval_child_process_execution.toml	51
behavior/rules/macos/execution_arbitrary_python_code_execution_via_nodejs.toml	39
behavior/rules/macos/execution_background_process_execution_via_shell.toml	57
behavior/rules/macos/execution_cocoa_applet_binary_execution.toml	45
behavior/rules/macos/execution_code_editor_untrusted_or_unsigned_child_process_execution.toml	52
behavior/rules/macos/execution_command_execution_via_screen_session.toml	43
behavior/rules/macos/execution_curl_download_and_execution_of_javascript_payload.toml	51
behavior/rules/macos/execution_decoy_document_creation_via_curl.toml	41
behavior/rules/macos/execution_disown_execution_via_shell_command_from_volume_mount.toml	44
behavior/rules/macos/execution_dscl_execution_via_osascript.toml	49
behavior/rules/macos/execution_executable_file_extracted_to_temporary_directory.toml	56
behavior/rules/macos/execution_execution_of_javascript_payload_via_osascript.toml	45
behavior/rules/macos/execution_execution_of_javascript_payload_via_python.toml	46
behavior/rules/macos/execution_execution_of_self_signed_binary_from_volume_mount.toml	45
behavior/rules/macos/execution_execution_via_electron_child_process_node.js_module.toml	55
behavior/rules/macos/execution_file_cloned_by_unsigned_or_untrusted_process.toml	36
behavior/rules/macos/execution_hidden_folder_or_file_access_in_tmp_via_python.toml	49
behavior/rules/macos/execution_hidden_python_script_execution_via_nodejs.toml	58
behavior/rules/macos/execution_initial_access_discovery_via_applet_executable.toml	48
behavior/rules/macos/execution_initial_access_via_audio_unit_plug_in.toml	55
behavior/rules/macos/execution_initial_access_via_macos_installer_package.toml	202
behavior/rules/macos/execution_initial_access_via_osa_shell_script_piped_to_python_interpreter.toml	57
behavior/rules/macos/execution_lone_binary_execution_from_volume_mount.toml	36
behavior/rules/macos/execution_macos_interactive_shell_spawned_via_hidden_process.toml	42
behavior/rules/macos/execution_nohup_execution_followed_by_outbound_network_connection.toml	77
behavior/rules/macos/execution_osa_script_execution_via_unsigned_or_untrusted_parent.toml	44
behavior/rules/macos/execution_osascript_execution_via_piped_applescript.toml	41
behavior/rules/macos/execution_payload_delivery_via_curl_and_immediate_execution.toml	55
behavior/rules/macos/execution_payload_piped_to_script_interpreter.toml	55
behavior/rules/macos/execution_possible_java_reverse_shell.toml	50
behavior/rules/macos/execution_potential_decoy_document_via_open.toml	47
behavior/rules/macos/execution_potential_python_reverse_shell.toml	57
behavior/rules/macos/execution_powershell_encoded_command.toml	51
behavior/rules/macos/execution_powershell_outbound_network_connection.toml	47
behavior/rules/macos/execution_python_initial_access_via_google_drive.toml	62
behavior/rules/macos/execution_python_script_execution_via_shell_and_remote_network_connection.toml	58
behavior/rules/macos/execution_shell_script_execution_from_abnormal_volume_mount_path.toml	49
behavior/rules/macos/execution_suspicious_apple_script_execution.toml	46
behavior/rules/macos/execution_suspicious_audio_unit_plug_in_file_access.toml	45
behavior/rules/macos/execution_suspicious_automator_application_execution.toml	45
behavior/rules/macos/execution_suspicious_automator_workflows_execution.toml	39
behavior/rules/macos/execution_suspicious_child_process_execution_via_interactive_shell.toml	53
behavior/rules/macos/execution_suspicious_child_process_of_expect.toml	45
behavior/rules/macos/execution_suspicious_codesign_execution_via_osacompile.toml	44
behavior/rules/macos/execution_suspicious_dscl_auth_validation.toml	55
behavior/rules/macos/execution_suspicious_dylib_load_from_temporary_directory.toml	51
behavior/rules/macos/execution_suspicious_electron_command_execution.toml	44
behavior/rules/macos/execution_suspicious_elevated_command_execution.toml	44
behavior/rules/macos/execution_suspicious_execution_of_unsigned_or_untrusted_process_via_sudo.toml	47
behavior/rules/macos/execution_suspicious_installer_remote_plugin_service_child_process.toml	44
behavior/rules/macos/execution_suspicious_interactive_shell_execution.toml	47
behavior/rules/macos/execution_suspicious_large_script_execution_via_shell_command.toml	47
behavior/rules/macos/execution_suspicious_network_connection_via_installer_package.toml	63
behavior/rules/macos/execution_suspicious_powershell_child_process.toml	42
behavior/rules/macos/execution_suspicious_python_package_child_process_execution.toml	57
behavior/rules/macos/execution_suspicious_python_script_execution_and_network_connection.toml	55
behavior/rules/macos/execution_suspicious_script_compilation_via_osacompile.toml	43
behavior/rules/macos/execution_suspicious_script_or_process_execution_from_mounted_device.toml	67
behavior/rules/macos/execution_suspicious_terminal_child_process_execution.toml	57
behavior/rules/macos/execution_suspicious_unsigned_application_execution_via_shell.toml	44
behavior/rules/macos/execution_suspicious_xpc_service_child_process.toml	68
behavior/rules/macos/execution_tclsh_execution_followed_by_immediate_network_connection.toml	41
behavior/rules/macos/execution_temporary_binary_execution_via_osascript.toml	41
behavior/rules/macos/execution_unsigned_or_untrusted_application_launch_via_xpc.toml	55
behavior/rules/macos/execution_unsigned_or_untrusted_binary_execution_via_xpc_call.toml	51
behavior/rules/macos/execution_untrusted_or_unsigned_binary_execution_via_osascript.toml	42
behavior/rules/macos/execution_untrusted_process_execution_with_invalid_plist_or_code_signature.toml	46
behavior/rules/macos/execution_unusual_bundle_execution_via_shell.toml	44
behavior/rules/macos/execution_unusually_large_osa_script_execution_via_shell_command.toml	50
behavior/rules/macos/execution_unusually_large_script_executed_by_osascript.toml	42
behavior/rules/macos/execution_user_discovery_command_execution_from_volume_mount.toml	55
behavior/rules/macos/execution_user_tcc_db_access_by_osascript.toml	52
behavior/rules/macos/execution_user_tcc_db_access_by_unsigned_or_untrusted_process.toml	50
behavior/rules/macos/execution_volume_muted_via_osascript.toml	40
behavior/rules/macos/exfiltration_potential_data_exfiltration_via_curl.toml	55
behavior/rules/macos/initial_access_initial_access_or_execution_via_microsoft_office_application.toml	172
behavior/rules/macos/initial_access_suspicious_execution_via_macos_script_editor.toml	81
behavior/rules/macos/lateral_movement_potential_kerberos_attack_via_bifrost.toml	55
behavior/rules/macos/persistence_at_job_creation_or_modification_via_shell_command.toml	60
behavior/rules/macos/persistence_cron_tab_creation_or_modification_via_shell_command.toml	60
behavior/rules/macos/persistence_default_application_hijacking.toml	41
behavior/rules/macos/persistence_dock_tile_plug_in_load.toml	39
behavior/rules/macos/persistence_initial_access_staging_via_installer_package.toml	55
behavior/rules/macos/persistence_manual_loading_of_a_suspicious_chromium_extension.toml	48
behavior/rules/macos/persistence_new_system_kext_file_and_immediate_load_via_kextload.toml	59
behavior/rules/macos/persistence_persistence_via_a_hidden_plist_filename.toml	73
behavior/rules/macos/persistence_persistence_via_a_masqueraded_plist_filename.toml	75
behavior/rules/macos/persistence_persistence_via_suspicious_launch_agent_or_launch_daemon.toml	128
behavior/rules/macos/persistence_potential_persistence_via_emond.toml	68
behavior/rules/macos/persistence_screensaver_plist_file_modified_by_unexpected_process.toml	58
behavior/rules/macos/persistence_suspicious_apple_mail_rule_plist_creation_or_modification.toml	45
behavior/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml	69
behavior/rules/macos/persistence_suspicious_startupitem_plist_creation_or_modification.toml	43
behavior/rules/macos/persistence_unexpected_child_process_of_macos_screensaver_engine.toml	41
behavior/rules/macos/persistence_unsigned_or_untrusted_binary_execution_via_cron.toml	54
behavior/rules/macos/persistence_unsigned_or_untrusted_binary_execution_via_zshrc.toml	53
behavior/rules/macos/persistence_unsigned_or_untrusted_process_execution_via_installer.toml	43
behavior/rules/macos/persistence_untrusted_or_unsigned_binary_executed_via_launch_service.toml	46
behavior/rules/macos/persistence_unusual_launch_service_creation_via_unsigned_or_untrusted_binary.toml	50
behavior/rules/macos/privilege_escalation_elevated_apple_script_execution_via_unsigned_parent.toml	50
behavior/rules/macos/privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml	58
behavior/rules/macos/privilege_escalation_potential_code_injection_via_remote_thread.toml	41
behavior/rules/macos/privilege_escalation_potential_privilege_escalation_via_root_crontab_file_modification.toml	40
behavior/rules/macos/privilege_escalation_potential_privilege_escalation_via_tcc_bypass_with_fake_tcc.db.toml	57
behavior/rules/macos/privilege_escalation_potential_sip_bypass_via_the_shoveservice.toml	37
behavior/rules/macos/privilege_escalation_suspicious_privilegedhelpertool_activity.toml	58
behavior/rules/windows/collection_getasynckeystate_api_call_from_suspicious_process.toml	73
behavior/rules/windows/collection_getasynckeystate_api_call_from_unusual_process.toml	74
behavior/rules/windows/collection_keystroke_input_capture_via_directinput.toml	57
behavior/rules/windows/collection_keystroke_input_capture_via_registerrawinputdevices.toml	52
behavior/rules/windows/collection_keystroke_messages_hooking_via_setwindowshookex.toml	94
behavior/rules/windows/collection_keystrokes_input_capture_from_a_managed_application.toml	59
behavior/rules/windows/collection_keystrokes_input_capture_from_a_suspicious_module.toml	52
behavior/rules/windows/collection_keystrokes_input_capture_from_suspicious_callstack.toml	81
behavior/rules/windows/collection_keystrokes_input_capture_from_unsigned_dll.toml	71
behavior/rules/windows/collection_keystrokes_input_capture_via_setwindowshookex.toml	52
behavior/rules/windows/command_and_control_connection_to_dynamic_dns_provider_by_a_signed_binary_proxy.toml	100
behavior/rules/windows/command_and_control_connection_to_dynamic_dns_provider_by_an_unsigned_binary.toml	98
behavior/rules/windows/command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml	231
behavior/rules/windows/command_and_control_connection_to_webservice_by_an_unsigned_binary.toml	193
behavior/rules/windows/command_and_control_dns_query_to_suspicious_top_level_domain.toml	126
behavior/rules/windows/command_and_control_download_activity_via_a_headless_browser.toml	43
behavior/rules/windows/command_and_control_execution_from_suspicious_stack_trailing_bytes.toml	122
behavior/rules/windows/command_and_control_execution_of_a_file_written_by_a_signed_binary_proxy.toml	57
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_curl.toml	53
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_inet_cache.toml	46
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_powershell.toml	76
behavior/rules/windows/command_and_control_ingress_transfer_via_windows_utility.toml	37
behavior/rules/windows/command_and_control_library_load_of_a_file_written_by_a_signed_binary_proxy.toml	68
behavior/rules/windows/command_and_control_netsupport_execution_form_unusual_path.toml	39
behavior/rules/windows/command_and_control_netwire_rat_registry_modification.toml	51
behavior/rules/windows/command_and_control_network_connect_api_from_unbacked_memory.toml	115
behavior/rules/windows/command_and_control_potential_execution_via_sliver_framework.toml	73
behavior/rules/windows/command_and_control_potential_known_tcp_port_traffic_tunneling.toml	78
behavior/rules/windows/command_and_control_potential_plugx_registry_modification.toml	69
behavior/rules/windows/command_and_control_potential_protocol_tunneling_via_legit_utilities.toml	45
behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml	52
behavior/rules/windows/command_and_control_potential_traffic_tunneling_with_qemu.toml	36
behavior/rules/windows/command_and_control_remcos_rat_exepath_registry_modification.toml	51
behavior/rules/windows/command_and_control_remcos_rat_inetcookies_file_deletion.toml	48
behavior/rules/windows/command_and_control_remcos_rat_registry_or_file_modification.toml	56
behavior/rules/windows/command_and_control_service_communication_via_mail_protocol.toml	56
behavior/rules/windows/command_and_control_suspicious_command_and_control_via_internet_explorer.toml	112
behavior/rules/windows/command_and_control_suspicious_communication_via_mail_protocol.toml	102
behavior/rules/windows/command_and_control_suspicious_dns_lookup_by_remote_utilities_rmm.toml	39
behavior/rules/windows/command_and_control_suspicious_dns_query_by_msiexec.toml	56
behavior/rules/windows/command_and_control_suspicious_dns_query_from_mounted_virtual_disk.toml	225
behavior/rules/windows/command_and_control_suspicious_executable_file_creation.toml	92
behavior/rules/windows/command_and_control_suspicious_netsupport_execution.toml	40
behavior/rules/windows/credential_access_access_attempt_to_non_existing_cryptocurrency_wallet.toml	76
behavior/rules/windows/credential_access_access_to_browser_credentials_from_suspicious_memory.toml	134
behavior/rules/windows/credential_access_access_to_windows_passwords_vault_via_powershell.toml	64
behavior/rules/windows/credential_access_autologons_access_attempt_via_registry.toml	60
behavior/rules/windows/credential_access_browser_debugging_from_unusual_parent.toml	84
behavior/rules/windows/credential_access_chrome_browser_spawned_from_an_unusual_parent.toml	62
behavior/rules/windows/credential_access_credential_access_via_known_utilities.toml	94
behavior/rules/windows/credential_access_failed_access_attempt_to_web_browser_files.toml	157
behavior/rules/windows/credential_access_failed_attempts_to_access_sensitive_files.toml	92
behavior/rules/windows/credential_access_lsa_dump_via_silentprocessexit.toml	41
behavior/rules/windows/credential_access_lsa_dump_via_windows_error_reporting.toml	42
behavior/rules/windows/credential_access_lsass_access_attempt_from_an_unsigned_executable.toml	45
behavior/rules/windows/credential_access_lsass_access_attempt_from_unbacked_memory.toml	65
behavior/rules/windows/credential_access_lsass_access_attempt_via_ppl_bypass.toml	72
behavior/rules/windows/credential_access_lsass_memory_dump_via_minidumpwritedump.toml	42
behavior/rules/windows/credential_access_potential_browser_credentials_stealer.toml	58
behavior/rules/windows/credential_access_potential_browser_debugging_via_localhost.toml	69
behavior/rules/windows/credential_access_potential_credential_access_via_mimikatz.toml	63
behavior/rules/windows/credential_access_potential_credential_access_via_rubeus.toml	58
behavior/rules/windows/credential_access_potential_credential_access_via_windows_credential_history.toml	59
behavior/rules/windows/credential_access_potential_discovery_of_dpapi_master_keys.toml	89
behavior/rules/windows/credential_access_potential_discovery_of_windows_credential_manager_store.toml	85
behavior/rules/windows/credential_access_potential_google_credentials_phishing.toml	58
behavior/rules/windows/credential_access_powershell_script_with_passwords_vault_access_capability.toml	56
behavior/rules/windows/credential_access_remote_access_to_sensitive_registry_keys.toml	56
behavior/rules/windows/credential_access_security_account_manager_(sam)_file_access.toml	79
behavior/rules/windows/credential_access_security_account_manager_(sam)_registry_access.toml	79
behavior/rules/windows/credential_access_sensitive_file_access_cloud_credentials.toml	72
behavior/rules/windows/credential_access_sensitive_file_access_remote_desktop_connection_manager.toml	58
behavior/rules/windows/credential_access_sensitive_file_access_ssh_saved_keys.toml	101
behavior/rules/windows/credential_access_sensitive_file_access_system_admin_utilities.toml	89
behavior/rules/windows/credential_access_sensitive_file_access_unattended_panther.toml	78
behavior/rules/windows/credential_access_sensitive_hive_access_via_registry_backup.toml	72
behavior/rules/windows/credential_access_suspicious_access_to_active_directory_database_file.toml	51
behavior/rules/windows/credential_access_suspicious_access_to_cryptocurrency_wallet_files.toml	111
behavior/rules/windows/credential_access_suspicious_access_to_lsa_secrets_registry.toml	78
behavior/rules/windows/credential_access_suspicious_access_to_web_browser_credential_stores.toml	63
behavior/rules/windows/credential_access_suspicious_access_to_windows_vault_files.toml	58
behavior/rules/windows/credential_access_suspicious_credential_files_creation_via_kerberos.toml	68
behavior/rules/windows/credential_access_suspicious_registry_hive_dump.toml	57
behavior/rules/windows/credential_access_suspicious_vault_client_image_load.toml	102
behavior/rules/windows/credential_access_suspicious_vault_files_access_via_rpc.toml	68
behavior/rules/windows/credential_access_system_bootkey_registry_access.toml	59
behavior/rules/windows/credential_access_unusual_kerberos_client_process.toml	47
behavior/rules/windows/credential_access_unusual_ldap_client_process.toml	77
behavior/rules/windows/credential_access_web_browser_credential_access_via_unsigned_process.toml	76
behavior/rules/windows/defense_evasion_allowprotectedrenames_registry_modification.toml	48
behavior/rules/windows/defense_evasion_amsi_bypass_via_com_registry_modification.toml	40
behavior/rules/windows/defense_evasion_amsi_bypass_via_powershell.toml	74
behavior/rules/windows/defense_evasion_amsi_bypass_via_unbacked_memory.toml	47
behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml	77
behavior/rules/windows/defense_evasion_api_call_from_a_process_with_a_spoofed_parent.toml	64
behavior/rules/windows/defense_evasion_api_call_via_jump_rop_gadget.toml	64
behavior/rules/windows/defense_evasion_api_call_via_timer_callback_event.toml	36
behavior/rules/windows/defense_evasion_asynchronous_procedure_call_from_unusual_module.toml	62
behavior/rules/windows/defense_evasion_attempt_to_disable_driver_via_hvcidisallowedimages.toml	39
behavior/rules/windows/defense_evasion_attempt_to_disable_windows_defender_services.toml	47
behavior/rules/windows/defense_evasion_attempt_to_disable_windows_driver_blocklist_via_registry.toml	41
behavior/rules/windows/defense_evasion_attempt_to_hide_files_via_registry_modification.toml	67
behavior/rules/windows/defense_evasion_binary_masquerading_via_untrusted_path.toml	214
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_appvlp.toml	35
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_pester.toml	38
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_rundll32.toml	92
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_runexehelper.toml	44
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_ttdinject.toml	38
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_windows_openssh.toml	44
behavior/rules/windows/defense_evasion_com_to_.net_redirection_via_registry.toml	50
behavior/rules/windows/defense_evasion_common_language_runtime_loaded_via_an_unsigned_module.toml	52
behavior/rules/windows/defense_evasion_control_panel_process_with_unusual_arguments.toml	63
behavior/rules/windows/defense_evasion_crashdump_disabled_via_registry_modification.toml	42
behavior/rules/windows/defense_evasion_defense_evasion_via_registry_modification.toml	58
behavior/rules/windows/defense_evasion_delayed_common_language_runtime_load.toml	62
behavior/rules/windows/defense_evasion_direct_syscall_from_unsigned_module.toml	80
behavior/rules/windows/defense_evasion_direct_syscall_via_assembly_bytes.toml	100
behavior/rules/windows/defense_evasion_disabling_hypervisor_protected_code_integrity_via_registry.toml	52
behavior/rules/windows/defense_evasion_dll_control_panel_items_registry_modification.toml	47
behavior/rules/windows/defense_evasion_dll_dropped_by_msiexec_followed_by_sideload.toml	114
behavior/rules/windows/defense_evasion_dll_execution_via_visual_studio_live_share.toml	37
behavior/rules/windows/defense_evasion_dll_injection_via_mavinject_utility.toml	45
behavior/rules/windows/defense_evasion_dll_side_loading_of_a_file_dropped_by_microsoft_office.toml	83
behavior/rules/windows/defense_evasion_dll_side_loading_via_a_copied_microsoft_executable.toml	78
behavior/rules/windows/defense_evasion_evasion_via_device_credential_deployment.toml	41
behavior/rules/windows/defense_evasion_evasion_via_event_tracing_for_windows_patching.toml	52
behavior/rules/windows/defense_evasion_evasion_via_file_name_masquerading.toml	91
behavior/rules/windows/defense_evasion_evasion_via_ldrpkernel32_overwrite.toml	48
behavior/rules/windows/defense_evasion_evasion_via_multiple_memory_section_mapping.toml	39
behavior/rules/windows/defense_evasion_evasion_via_sleep_api_hooking.toml	38
behavior/rules/windows/defense_evasion_execution_from_suspicious_directory.toml	123
behavior/rules/windows/defense_evasion_execution_of_a_binary_dropped_via_microsoft_bsdtar_archive_tool.toml	53
behavior/rules/windows/defense_evasion_execution_of_a_dnguard_protected_program.toml	43
behavior/rules/windows/defense_evasion_execution_of_a_file_dropped_from_kernel_mode.toml	40
behavior/rules/windows/defense_evasion_execution_via_internet_explorer_exporter.toml	41
behavior/rules/windows/defense_evasion_execution_via_msiexec_downloadandexecute_customaction.toml	49
behavior/rules/windows/defense_evasion_execution_via_program_compatibility_assistant.toml	43
behavior/rules/windows/defense_evasion_execution_via_renamed_signed_binary_proxy.toml	95
behavior/rules/windows/defense_evasion_execution_via_windows_command_line_debugging_utility.toml	39
behavior/rules/windows/defense_evasion_execution_via_windows_installer_transforms.toml	55
behavior/rules/windows/defense_evasion_firewall_policy_changed_by_a_suspicious_process.toml	55
behavior/rules/windows/defense_evasion_image_hollow_from_unusual_stack.toml	78
behavior/rules/windows/defense_evasion_image_load_via_synthetic_stack_spoofing.toml	53
behavior/rules/windows/defense_evasion_image_load_via_transactional_ntfs.toml	41
behavior/rules/windows/defense_evasion_indirect_command_execution_via_console_window_host.toml	44
behavior/rules/windows/defense_evasion_indirect_command_execution_via_forfiles.toml	44
behavior/rules/windows/defense_evasion_ingress_dll_transfer_followed_by_dll_sideloading.toml	64
behavior/rules/windows/defense_evasion_internet_activity_from_suspicious_unbacked_memory.toml	93
behavior/rules/windows/defense_evasion_library_loaded_from_a_spoofed_call_stack.toml	47
behavior/rules/windows/defense_evasion_library_loaded_via_a_callback_function.toml	53
behavior/rules/windows/defense_evasion_library_loaded_via_thread_fiber_callback.toml	45
behavior/rules/windows/defense_evasion_managed_.net_code_execution_via_powershell.toml	72
behavior/rules/windows/defense_evasion_managed_.net_code_execution_via_windows_script_interpreter.toml	76
behavior/rules/windows/defense_evasion_memory_allocation_from_a_high_entropy_module.toml	74
behavior/rules/windows/defense_evasion_memory_protection_modification_of_an_unsigned_dll_v1.toml	61
behavior/rules/windows/defense_evasion_microsoft_common_language_runtime_loaded_from_suspicious_memory.toml	58
behavior/rules/windows/defense_evasion_module_stomping_from_a_copied_library.toml	53
behavior/rules/windows/defense_evasion_msbuild_with_unusual_arguments.toml	57
behavior/rules/windows/defense_evasion_msiexec_execution_via_a_windows_script_interpreter.toml	76
behavior/rules/windows/defense_evasion_network_activity_from_a_reflected_process.toml	38
behavior/rules/windows/defense_evasion_network_activity_from_a_stomped_module.toml	95
behavior/rules/windows/defense_evasion_network_connection_via_process_with_unusual_arguments.toml	78
behavior/rules/windows/defense_evasion_network_library_load_via_ldrloaddll.toml	66
behavior/rules/windows/defense_evasion_network_module_loaded_from_suspicious_unbacked_memory.toml	249
behavior/rules/windows/defense_evasion_ntdll_loaded_from_an_unusual_path.toml	55
behavior/rules/windows/defense_evasion_ntdll_memory_protection_change_via_unsigned_dll.toml	80
behavior/rules/windows/defense_evasion_oversized_dll_creation_followed_by_sideload.toml	72
behavior/rules/windows/defense_evasion_parallel_ntdll_loaded_from_unbacked_memory.toml	51
behavior/rules/windows/defense_evasion_parent_process_pid_spoofing.toml	148
behavior/rules/windows/defense_evasion_payload_decoded_via_certutil.toml	47
behavior/rules/windows/defense_evasion_potential_autoconfigurl_settings_hijack.toml	42
behavior/rules/windows/defense_evasion_potential_beacon_masking_from_a_stomped_module.toml	34
behavior/rules/windows/defense_evasion_potential_cve_2024_21338_exploitation.toml	60
behavior/rules/windows/defense_evasion_potential_defense_evasion_via_filter_manager_control_program.toml	35
behavior/rules/windows/defense_evasion_potential_dll_hijack_via_directory_spoofing.toml	58
behavior/rules/windows/defense_evasion_potential_dll_hijacking_via_environment_paths.toml	98
behavior/rules/windows/defense_evasion_potential_dll_hollowing_from_a_writable_image.toml	44
behavior/rules/windows/defense_evasion_potential_dll_hollowing_with_transactional_ntfs.toml	37
behavior/rules/windows/defense_evasion_potential_dll_search_order_hijacking_of_an_existing_program.toml	68
behavior/rules/windows/defense_evasion_potential_dll_sideload_via_a_microsoft_signed_binary.toml	60
behavior/rules/windows/defense_evasion_potential_dll_sideload_via_a_renamed_signed_binary.toml	53
behavior/rules/windows/defense_evasion_potential_elastic_tampering_via_pendingfilerename.toml	47
behavior/rules/windows/defense_evasion_potential_endpoint_security_evasion_via_firewallrules.toml	47
behavior/rules/windows/defense_evasion_potential_evasion_via_asp.net_compiler.toml	39
behavior/rules/windows/defense_evasion_potential_evasion_via_dotnet_framework_installation_utility.toml	72
behavior/rules/windows/defense_evasion_potential_evasion_via_inline_execute_assembly.toml	52
behavior/rules/windows/defense_evasion_potential_evasion_via_intel_gfxdownloadwrapper.toml	58
behavior/rules/windows/defense_evasion_potential_evasion_via_invalid_code_signature.toml	79
behavior/rules/windows/defense_evasion_potential_evasion_via_oversized_image_load.toml	61
behavior/rules/windows/defense_evasion_potential_evasion_via_stack_rumbling.toml	61
behavior/rules/windows/defense_evasion_potential_evasion_with_hardware_breakpoints.toml	92
behavior/rules/windows/defense_evasion_potential_executable_stored_in_the_registry.toml	36
behavior/rules/windows/defense_evasion_potential_exploit_via_fake_rpc_messages.toml	43
behavior/rules/windows/defense_evasion_potential_image_load_via_transactional_ntfs.toml	49
behavior/rules/windows/defense_evasion_potential_image_load_with_a_spoofed_creation_time.toml	97
behavior/rules/windows/defense_evasion_potential_initial_access_via_dll_search_order_hijacking.toml	70
behavior/rules/windows/defense_evasion_potential_injection_from_a_lua_script.toml	45
behavior/rules/windows/defense_evasion_potential_injection_via_asynchronous_procedure_call.toml	46
behavior/rules/windows/defense_evasion_potential_injection_via_dotnet_debugging.toml	57
behavior/rules/windows/defense_evasion_potential_injection_via_module_stomping.toml	76
behavior/rules/windows/defense_evasion_potential_injection_via_nsis_installer.toml	43
behavior/rules/windows/defense_evasion_potential_injection_via_pyinstaller_executable.toml	44
behavior/rules/windows/defense_evasion_potential_injection_via_the_console_window_class.toml	43
behavior/rules/windows/defense_evasion_potential_library_load_via_rop_gadgets.toml	57
behavior/rules/windows/defense_evasion_potential_logonuser_api_hooking.toml	42
behavior/rules/windows/defense_evasion_potential_masquerading_as_svchost.toml	95
behavior/rules/windows/defense_evasion_potential_masquerading_as_windows_error_manager.toml	85
behavior/rules/windows/defense_evasion_potential_netntlmv1_downgrade_attack.toml	34
behavior/rules/windows/defense_evasion_potential_ntdll_memory_unhooking.toml	85
behavior/rules/windows/defense_evasion_potential_operation_via_direct_syscall.toml	90
behavior/rules/windows/defense_evasion_potential_parent_process_pid_spoofing_via_malseclogon.toml	66
behavior/rules/windows/defense_evasion_potential_process_creation_via_direct_syscall.toml	40
behavior/rules/windows/defense_evasion_potential_process_creation_via_shellcode.toml	46
behavior/rules/windows/defense_evasion_potential_protected_process_dll_injection_via_rpc.toml	43
behavior/rules/windows/defense_evasion_potential_remote_code_injection.toml	109
behavior/rules/windows/defense_evasion_potential_self_deletion_of_a_running_executable.toml	48
behavior/rules/windows/defense_evasion_potential_shellcode_fluctuation_v1.toml	121
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_a_webshell.toml	51
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_clr.toml	125
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_node.js.toml	41
behavior/rules/windows/defense_evasion_potential_suspended_process_code_injection.toml	116
behavior/rules/windows/defense_evasion_potential_unbacked_memory_content_masking.toml	37
behavior/rules/windows/defense_evasion_privilege_escalation_via_microsoft_exchange_dll_hijacking.toml	43
behavior/rules/windows/defense_evasion_process_anti_debug_via_memory_patching.toml	58
behavior/rules/windows/defense_evasion_process_creation_from_a_stomped_module.toml	65
behavior/rules/windows/defense_evasion_process_creation_from_backed_rwx_memory.toml	81
behavior/rules/windows/defense_evasion_process_creation_from_unbacked_memory_via_unsigned_parent.toml	60
behavior/rules/windows/defense_evasion_process_creation_via_rop_gadgets.toml	59
behavior/rules/windows/defense_evasion_process_creation_with_unusual_mitigation.toml	88
behavior/rules/windows/defense_evasion_process_executable_image_tampering_attempt.toml	47
behavior/rules/windows/defense_evasion_process_execution_with_unusual_file_extension.toml	44
behavior/rules/windows/defense_evasion_process_explorer_device_access_by_unusual_process.toml	54
behavior/rules/windows/defense_evasion_process_from_archive_or_removable_media_via_unbacked_code.toml	64
behavior/rules/windows/defense_evasion_process_memory_write_to_a_non_child_process.toml	184
behavior/rules/windows/defense_evasion_process_stared_via_remote_thread.toml	42
behavior/rules/windows/defense_evasion_process_suspended_via_ttd_monitor_driver.toml	52
behavior/rules/windows/defense_evasion_protected_process_light_bypass_via_dll_tampering.toml	101
behavior/rules/windows/defense_evasion_registry_modification_via_wmi_stdregprov.toml	58
behavior/rules/windows/defense_evasion_regsvr32_scriptlet_execution.toml	60
behavior/rules/windows/defense_evasion_regsvr32_with_unusual_arguments.toml	92
behavior/rules/windows/defense_evasion_remote_file_execution_via_msiexec.toml	105
behavior/rules/windows/defense_evasion_remote_memory_write_to_a_non_child_process.toml	71
behavior/rules/windows/defense_evasion_remote_memory_write_to_trusted_target_process.toml	195
behavior/rules/windows/defense_evasion_remote_msi_package_installation_via_msiexec.toml	51
behavior/rules/windows/defense_evasion_remote_process_injection_via_mapping.toml	45
behavior/rules/windows/defense_evasion_remote_process_injection_via_python.toml	40
behavior/rules/windows/defense_evasion_remote_process_memory_write_by_low_reputation_module.toml	177
behavior/rules/windows/defense_evasion_remote_thread_context_manipulation.toml	100
behavior/rules/windows/defense_evasion_renamed_autoit_scripts_interpreter.toml	40
behavior/rules/windows/defense_evasion_renamed_third_party_administrator_tools.toml	46
behavior/rules/windows/defense_evasion_renamed_windows_automaton_script_interpreter.toml	83
behavior/rules/windows/defense_evasion_rundll32_or_regsvr32_executing_an_oversized_file.toml	49
behavior/rules/windows/defense_evasion_rundll32_or_regsvr32_loaded_a_dll_from_unbacked_memory.toml	100
behavior/rules/windows/defense_evasion_rundll32_regsvr32_loads_a_dll_downloaded_via_bits.toml	56
behavior/rules/windows/defense_evasion_rundll32_with_unusual_arguments.toml	156
behavior/rules/windows/defense_evasion_script_execution_via_microsoft_html_application.toml	85
behavior/rules/windows/defense_evasion_script_execution_via_msxsl.toml	55
behavior/rules/windows/defense_evasion_scriptlet_execution_via_cmstp.toml	59
behavior/rules/windows/defense_evasion_scriptlet_execution_via_rundll32.toml	60
behavior/rules/windows/defense_evasion_scriptlet_proxy_execution_via_pubprn.toml	60
behavior/rules/windows/defense_evasion_self_injection_via_appdomain_manager_assembly.toml	79
behavior/rules/windows/defense_evasion_shadow_copy_service_disabled_via_registry_modification.toml	46
behavior/rules/windows/defense_evasion_shellcode_api_behavior_from_a_signed_module.toml	248
behavior/rules/windows/defense_evasion_shellcode_behavior_from_suspicious_rwx_provenance.toml	74
behavior/rules/windows/defense_evasion_shellcode_execution_from_low_reputation_module.toml	123
behavior/rules/windows/defense_evasion_shellcode_execution_via_a_callback_function.toml	71
behavior/rules/windows/defense_evasion_shellcode_execution_via_python_script.toml	40
behavior/rules/windows/defense_evasion_shellcode_fluctuation_via_callback.toml	40
behavior/rules/windows/defense_evasion_shellcode_from_unusual_microsoft_signed_module.toml	61
behavior/rules/windows/defense_evasion_shellcode_injection_from_mounted_device.toml	49
behavior/rules/windows/defense_evasion_shellcode_injection_via_powershell.toml	78
behavior/rules/windows/defense_evasion_shellcode_injection_with_parent_as_provenance.toml	79
behavior/rules/windows/defense_evasion_suspicious_activity_from_a_control_panel_applet.toml	59
behavior/rules/windows/defense_evasion_suspicious_api_call_via_a_windows_installer_module.toml	55
behavior/rules/windows/defense_evasion_suspicious_api_call_via_windows_script_interpreter.toml	78
behavior/rules/windows/defense_evasion_suspicious_appdomain_manager_configuration_file.toml	76
behavior/rules/windows/defense_evasion_suspicious_bitsadmin_activity.toml	108
behavior/rules/windows/defense_evasion_suspicious_call_stack_trailing_bytes.toml	45
behavior/rules/windows/defense_evasion_suspicious_control_panel_dll_loaded_by_explorer.toml	63
behavior/rules/windows/defense_evasion_suspicious_dllregisterserver_execution_via_msiexec.toml	44
behavior/rules/windows/defense_evasion_suspicious_executable_memory_mapping.toml	87
behavior/rules/windows/defense_evasion_suspicious_executable_memory_permission_modification.toml	55
behavior/rules/windows/defense_evasion_suspicious_execution_from_a_mounted_device.toml	76
behavior/rules/windows/defense_evasion_suspicious_execution_from_an_oversized_executable.toml	79
behavior/rules/windows/defense_evasion_suspicious_execution_via_dcom.toml	171
behavior/rules/windows/defense_evasion_suspicious_execution_via_dotnet_remoting.toml	49
behavior/rules/windows/defense_evasion_suspicious_execution_via_ihxhelppaneserver.toml	77
behavior/rules/windows/defense_evasion_suspicious_image_load_by_system_protected_process.toml	50
behavior/rules/windows/defense_evasion_suspicious_image_load_from_smb_shares.toml	75
behavior/rules/windows/defense_evasion_suspicious_image_load_via_ldrloaddll.toml	61
behavior/rules/windows/defense_evasion_suspicious_imageload_from_an_iso_mounted_device.toml	49
behavior/rules/windows/defense_evasion_suspicious_imageload_via_odbc_driver_configuration_program.toml	44
behavior/rules/windows/defense_evasion_suspicious_imageload_via_windows_certoc.toml	36
behavior/rules/windows/defense_evasion_suspicious_imageload_via_windows_update_auto_update_client.toml	56
behavior/rules/windows/defense_evasion_suspicious_kernel32_memory_protection.toml	50
behavior/rules/windows/defense_evasion_suspicious_memory_page_protection.toml	112
behavior/rules/windows/defense_evasion_suspicious_memory_protection_fluctuation.toml	87
behavior/rules/windows/defense_evasion_suspicious_memory_size_protection_via_virtualprotect.toml	64
behavior/rules/windows/defense_evasion_suspicious_msiexec_child_process.toml	95
behavior/rules/windows/defense_evasion_suspicious_ntdll_image_load.toml	57
behavior/rules/windows/defense_evasion_suspicious_ntdll_memory_write.toml	42
behavior/rules/windows/defense_evasion_suspicious_null_terminated_call_stack.toml	91
behavior/rules/windows/defense_evasion_suspicious_okta_agent_cross_process_activity.toml	50
behavior/rules/windows/defense_evasion_suspicious_parent_child_relationship.toml	116
behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml	50
behavior/rules/windows/defense_evasion_suspicious_process_creation_via_reflection.toml	45
behavior/rules/windows/defense_evasion_suspicious_process_with_a_spoofed_parent.toml	102
behavior/rules/windows/defense_evasion_suspicious_remote_memory_allocation.toml	103
behavior/rules/windows/defense_evasion_suspicious_remote_process_suspend_activity.toml	142
behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml	75
behavior/rules/windows/defense_evasion_suspicious_shell_extension_handler_registry_modification.toml	67
behavior/rules/windows/defense_evasion_suspicious_suspended_process_creation.toml	61
behavior/rules/windows/defense_evasion_suspicious_unsigned_dll_loaded_by_a_trusted_process.toml	64
behavior/rules/windows/defense_evasion_suspicious_windows_api_call_from_virtual_disk_or_usb.toml	59
behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml	90
behavior/rules/windows/defense_evasion_suspicious_windows_defender_exclusions_added_via_powershell.toml	82
behavior/rules/windows/defense_evasion_suspicious_windows_defender_registry_modification.toml	72
behavior/rules/windows/defense_evasion_suspicious_windows_explorer_execution.toml	83
behavior/rules/windows/defense_evasion_suspicious_windows_lua_script_execution.toml	44
behavior/rules/windows/defense_evasion_suspicious_windows_nt_api_hooking.toml	51
behavior/rules/windows/defense_evasion_suspicious_wmic_xsl_script_execution.toml	62
behavior/rules/windows/defense_evasion_system_binary_proxy_execution_via_scriptrunner.toml	37
behavior/rules/windows/defense_evasion_thread_suspension_from_unbacked_memory.toml	51
behavior/rules/windows/defense_evasion_transacted_file_activity_via_an_unsigned_dll.toml	42
behavior/rules/windows/defense_evasion_unbacked_shellcode_from_unsigned_module.toml	138
behavior/rules/windows/defense_evasion_unsigned_dll_from_suspicious_directory.toml	140
behavior/rules/windows/defense_evasion_unsigned_dll_loaded_by_an_elastic_signed_binary.toml	45
behavior/rules/windows/defense_evasion_unsigned_dll_loaded_by_rundll32_via_com.toml	58
behavior/rules/windows/defense_evasion_untrusted_dll_loaded_by_a_persistent_program.toml	175
behavior/rules/windows/defense_evasion_unusual_dll_extension_loaded_by_rundll32_or_regsvr32.toml	78
behavior/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml	47
behavior/rules/windows/defense_evasion_unusual_process_running_as_antimalware_protected.toml	127
behavior/rules/windows/defense_evasion_unusual_registry_modification_via_wmi.toml	73
behavior/rules/windows/defense_evasion_unusual_windows_system_service_disabled.toml	53
behavior/rules/windows/defense_evasion_user_account_control_disabled_via_registry.toml	64
behavior/rules/windows/defense_evasion_virtualalloc_api_call_from_an_unsigned_dll.toml	110
behavior/rules/windows/defense_evasion_virtualprotect_call_via_nttestalert.toml	42
behavior/rules/windows/defense_evasion_virtualprotect_via_vectored_exception_handling.toml	49
behavior/rules/windows/defense_evasion_waasmedicsvc_com_type_lib_hijack.toml	58
behavior/rules/windows/defense_evasion_windows_api_call_via_indirect_random_syscall.toml	108
behavior/rules/windows/defense_evasion_windows_api_via_a_callback_function.toml	54
behavior/rules/windows/defense_evasion_windows_console_execution_from_unbacked_memory.toml	128
behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_extension.toml	49
behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_path.toml	50
behavior/rules/windows/defense_evasion_windows_defender_exclusions_via_wmi.toml	57
behavior/rules/windows/defense_evasion_windows_error_manager_reporting_masquerading.toml	44
behavior/rules/windows/defense_evasion_windows_firewall_exception_list_modified_via_untrusted_process.toml	52
behavior/rules/windows/defense_evasion_windows_installer_execution_via_explorer.toml	41
behavior/rules/windows/defense_evasion_windows_system_module_remote_hooking.toml	57
behavior/rules/windows/defense_evasion_windows_trojan_zloader.toml	46
behavior/rules/windows/defense_evasion_writeprocessmemory_to_suspicious_memory_location.toml	68
behavior/rules/windows/discovery_external_ip_address_discovery_via_a_trusted_program.toml	90
behavior/rules/windows/discovery_external_ip_address_discovery_via_untrusted_program.toml	111
behavior/rules/windows/discovery_potential_browser_information_discovery.toml	77
behavior/rules/windows/discovery_potential_hawkeyes_stealer_infection.toml	50
behavior/rules/windows/discovery_potential_virtual_machine_fingerprinting_via_vmdetect.toml	40
behavior/rules/windows/discovery_suspicious_remote_security_product_enumeration.toml	35
behavior/rules/windows/discovery_suspicious_security_product_enumeration.toml	136
behavior/rules/windows/discovery_suspicious_windows_ldap_image_load.toml	67
behavior/rules/windows/execution_.net_com_object_created_in_non_standard_windows_script_interpreter.toml	82
behavior/rules/windows/execution_attempt_to_mount_a_remote_webdav_share.toml	62
behavior/rules/windows/execution_command_and_scripting_interpreter_from_suspicious_parent.toml	69
behavior/rules/windows/execution_command_shell_activity_started_via_rundll32.toml	75
behavior/rules/windows/execution_command_shell_execution_from_untrusted_origin.toml	88
behavior/rules/windows/execution_dll_loaded_from_webdav_share.toml	41
behavior/rules/windows/execution_dynwrapx_image_load_via_windows_scripts.toml	50
behavior/rules/windows/execution_embedded_executable_via_windows_shortcut_file.toml	79
behavior/rules/windows/execution_encoded_powershell_execution_via_msiexec.toml	59
behavior/rules/windows/execution_execution_from_a_password_protected_self_extracting_archive.toml	41
behavior/rules/windows/execution_execution_from_unusual_directory.toml	189
behavior/rules/windows/execution_execution_from_zip_file_via_explorer.toml	81
behavior/rules/windows/execution_execution_of_a_downloaded_executable_with_low_or_unknown_reputation.toml	47
behavior/rules/windows/execution_execution_of_a_downloaded_windows_script_via_explorer.toml	90
behavior/rules/windows/execution_execution_of_a_file_downloaded_via_windows_openssh.toml	77
behavior/rules/windows/execution_execution_of_a_file_written_by_windows_script_host.toml	65
behavior/rules/windows/execution_execution_of_a_windows_script_downloaded_from_the_internet.toml	74
behavior/rules/windows/execution_execution_of_a_windows_script_downloaded_via_a_lolbin.toml	80
behavior/rules/windows/execution_execution_of_a_windows_script_file_written_by_a_suspicious_process.toml	107
behavior/rules/windows/execution_execution_of_a_windows_script_with_unusual_file_extension.toml	61
behavior/rules/windows/execution_execution_via_obfuscated_windows_script.toml	96
behavior/rules/windows/execution_execution_via_outlook_application_com_object.toml	102
behavior/rules/windows/execution_execution_via_suspicious_javascript_updates.toml	84
behavior/rules/windows/execution_execution_via_syncappvpublishingserver.toml	62
behavior/rules/windows/execution_execution_via_wmi_activescript_event_consumer.toml	76
behavior/rules/windows/execution_execution_via_wmi_commandline_event_consumer.toml	45
behavior/rules/windows/execution_execution_via_wmi_followed_by_network_connection.toml	52
behavior/rules/windows/execution_java_application_execution_from_suspicious_paths.toml	52
behavior/rules/windows/execution_java_application_with_unusual_file_extension.toml	58
behavior/rules/windows/execution_malicious_reputation_of_executable_download.toml	46
behavior/rules/windows/execution_oversized_windows_script_execution.toml	66
behavior/rules/windows/execution_potential_command_and_control_via_windows_scripts.toml	62
behavior/rules/windows/execution_potential_execution_via_zipexec.toml	55
behavior/rules/windows/execution_potential_obfuscated_script_execution.toml	91
behavior/rules/windows/execution_potential_pentesting_powershell_script.toml	95
behavior/rules/windows/execution_potential_powershell_empire_execution.toml	43
behavior/rules/windows/execution_potential_reverse_shell_via_java.toml	59
behavior/rules/windows/execution_potential_reverse_shell_via_powershell.toml	54
behavior/rules/windows/execution_powershell_empire_script_execution.toml	41
behavior/rules/windows/execution_powershell_engine_loaded_via_injection.toml	65
behavior/rules/windows/execution_powershell_execution_via_named_pipe.toml	58
behavior/rules/windows/execution_powershell_execution_via_runscripthelper.toml	35
behavior/rules/windows/execution_process_creation_from_an_unusual_wmi_client.toml	71
behavior/rules/windows/execution_process_termination_from_an_unusual_wmi_client.toml	62
behavior/rules/windows/execution_script_execution_from_webdav.toml	56
behavior/rules/windows/execution_script_execution_via_apds_xss_injection.toml	64
behavior/rules/windows/execution_shell_execution_via_windows_shortcut_file.toml	90
behavior/rules/windows/execution_suspicious_api_call_from_a_powershell_script.toml	66
behavior/rules/windows/execution_suspicious_cmd_execution_via_wmi.toml	53
behavior/rules/windows/execution_suspicious_command_shell_execution_via_windows_run.toml	71
behavior/rules/windows/execution_suspicious_execution_from_a_windows_script.toml	73
behavior/rules/windows/execution_suspicious_execution_from_mssql_service.toml	63
behavior/rules/windows/execution_suspicious_execution_via_microsoft_common_console.toml	101
behavior/rules/windows/execution_suspicious_execution_via_sql_powershell.toml	36
behavior/rules/windows/execution_suspicious_execution_via_windows_management_instrumentation.toml	123
behavior/rules/windows/execution_suspicious_image_load_via_windows_scripts.toml	54
behavior/rules/windows/execution_suspicious_java_execution_via_a_windows_script.toml	45
behavior/rules/windows/execution_suspicious_javascript_execution_via_node.js.toml	57
behavior/rules/windows/execution_suspicious_oversized_script_execution.toml	68
behavior/rules/windows/execution_suspicious_php_script_execution.toml	69
behavior/rules/windows/execution_suspicious_powershell_downloads.toml	119
behavior/rules/windows/execution_suspicious_powershell_execution.toml	179
behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml	128
behavior/rules/windows/execution_suspicious_powershell_script_with_.net_reflection.toml	75
behavior/rules/windows/execution_suspicious_python_script_interpreter.toml	113
behavior/rules/windows/execution_suspicious_script_execution_via_vbsedit_launcher.toml	48
behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml	144
behavior/rules/windows/execution_suspicious_windows_component_object_model_via_dllhost.toml	172
behavior/rules/windows/execution_suspicious_windows_script_base64_encoding.toml	55
behavior/rules/windows/execution_suspicious_windows_script_downloaded_from_the_internet.toml	94
behavior/rules/windows/execution_suspicious_windows_script_file_name.toml	125
behavior/rules/windows/execution_suspicious_windows_script_interpreter_child_process.toml	91
behavior/rules/windows/execution_suspicious_windows_script_process_execution.toml	85
behavior/rules/windows/execution_suspicious_windows_shortcut_file_creation_or_modification.toml	94
behavior/rules/windows/execution_suspicious_wmi_enumeration_via_windows_scripts.toml	74
behavior/rules/windows/execution_suspicious_wmi_library_load.toml	35
behavior/rules/windows/execution_unusual_powershell_engine_imageload.toml	139
behavior/rules/windows/execution_windows_installer_via_windows_script.toml	77
behavior/rules/windows/execution_windows_script_executed_from_a_suspicious_path.toml	78
behavior/rules/windows/execution_windows_script_execution_from_archive_file.toml	68
behavior/rules/windows/execution_windows_script_execution_via_mmc_console_file.toml	68
behavior/rules/windows/execution_windows_shortcut_file_embedded_object_execution.toml	104
behavior/rules/windows/impact_bcdedit_safe_mode_command_execution.toml	85
behavior/rules/windows/impact_inhibit_system_recovery_followed_by_a_suspicious_file_rename.toml	59
behavior/rules/windows/impact_inhibit_system_recovery_via_microsoft_office_process.toml	83
behavior/rules/windows/impact_inhibit_system_recovery_via_obfuscated_commands.toml	104
behavior/rules/windows/impact_inhibit_system_recovery_via_renamed_utilities.toml	57
behavior/rules/windows/impact_inhibit_system_recovery_via_signed_binary_proxy.toml	118
behavior/rules/windows/impact_inhibit_system_recovery_via_stopping_backup_services.toml	81
behavior/rules/windows/impact_inhibit_system_recovery_via_untrusted_parent_process.toml	48
behavior/rules/windows/impact_inhibit_system_recovery_via_windows_command_shell.toml	76
behavior/rules/windows/impact_potential_crypto_mining_activity.toml	84
behavior/rules/windows/impact_potential_data_wiping_attack_behavior.toml	57
behavior/rules/windows/impact_potential_ransomware_note_file.toml	88
behavior/rules/windows/impact_potential_ransomware_note_file_via_smb.toml	44
behavior/rules/windows/impact_shadow_copy_deletion_via_windows_management_instrumentation.toml	47
behavior/rules/windows/impact_suspicious_file_rename_by_an_unusual_process.toml	77
behavior/rules/windows/impact_suspicious_file_rename_from_unbacked_memory.toml	76
behavior/rules/windows/impact_suspicious_file_rename_via_smb.toml	46
behavior/rules/windows/impact_vss_service_disabled_followed_by_a_suspicious_file_rename.toml	54
behavior/rules/windows/initial_access_dll_loaded_from_a_macro_enabled_document.toml	79
behavior/rules/windows/initial_access_execution_from_a_downloaded_iso_file.toml	52
behavior/rules/windows/initial_access_execution_from_a_macro_enabled_office_document.toml	99
behavior/rules/windows/initial_access_execution_of_commonly_abused_utilities_via_explorer_trampoline.toml	110
behavior/rules/windows/initial_access_execution_of_file_written_or_modified_by_microsoft_equation_editor.toml	61
behavior/rules/windows/initial_access_execution_of_file_written_or_modified_by_microsoft_office.toml	53
behavior/rules/windows/initial_access_execution_via_a_suspicious_wmi_client.toml	110
behavior/rules/windows/initial_access_execution_via_microsoft_excel_xll_add_in.toml	61
behavior/rules/windows/initial_access_file_execution_via_microsoft_html_help.toml	54
behavior/rules/windows/initial_access_microsoft_equation_editor_child_process.toml	55
behavior/rules/windows/initial_access_microsoft_office_fetching_remote_content.toml	56
behavior/rules/windows/initial_access_microsoft_office_file_execution_via_script_interpreter.toml	46
behavior/rules/windows/initial_access_microsoft_office_file_execution_via_wmi.toml	57
behavior/rules/windows/initial_access_microsoft_office_loaded_a_dropped_executable_file.toml	69
behavior/rules/windows/initial_access_microsoft_office_process_setting_persistence_via_startup.toml	56
behavior/rules/windows/initial_access_potential_browser_exploit_via_fake_rpc_messages.toml	60
behavior/rules/windows/initial_access_potential_cve_2024_21412_exploitation.toml	56
behavior/rules/windows/initial_access_potential_decoy_document_via_user_execution.toml	87
behavior/rules/windows/initial_access_potential_execution_via_foxmail_exploitation.toml	51
behavior/rules/windows/initial_access_potential_execution_via_winrar_exploitation.toml	65
behavior/rules/windows/initial_access_potential_initial_access_via_rogue_rdp_server.toml	58
behavior/rules/windows/initial_access_potential_microsoft_outlook_remote_code_execution.toml	66
behavior/rules/windows/initial_access_potential_webshell_via_screenconnect_server.toml	52
behavior/rules/windows/initial_access_potential_winrar_cve_2023_38831_exploitation.toml	61
behavior/rules/windows/initial_access_powershell_obfuscation_spawned_via_microsoft_office.toml	114
behavior/rules/windows/initial_access_process_creation_via_microsoft_office_add_ins.toml	65
behavior/rules/windows/initial_access_registry_modification_via_microsoft_office.toml	92
behavior/rules/windows/initial_access_rundll32_regsvr32_loads_dropped_executable.toml	124
behavior/rules/windows/initial_access_script_file_written_by_microsoft_office_process.toml	98
behavior/rules/windows/initial_access_shortcut_file_modification_via_macro_enabled_document.toml	69
behavior/rules/windows/initial_access_signed_binary_execution_via_microsoft_office.toml	107
behavior/rules/windows/initial_access_suspicious_execution_from_a_pdf_documents.toml	45
behavior/rules/windows/initial_access_suspicious_execution_from_inet_cache.toml	71
behavior/rules/windows/initial_access_suspicious_execution_via_a_mounted_image_file.toml	47
behavior/rules/windows/initial_access_suspicious_execution_via_compiled_html_file.toml	73
behavior/rules/windows/initial_access_suspicious_execution_via_microsoft_officecmd_url_handler.toml	36
behavior/rules/windows/initial_access_suspicious_execution_via_shellbrowserwindow_shellwindow_com.toml	112
behavior/rules/windows/initial_access_suspicious_file_delivery_via_html_smuggling.toml	73
behavior/rules/windows/initial_access_suspicious_file_dropped_by_a_macro_enabled_document.toml	47
behavior/rules/windows/initial_access_suspicious_microsoft_html_help_descendant.toml	75
behavior/rules/windows/initial_access_suspicious_microsoft_iis_worker_descendant.toml	83
behavior/rules/windows/initial_access_suspicious_microsoft_office_child_process.toml	118
behavior/rules/windows/initial_access_suspicious_microsoft_office_embedded_object.toml	54
behavior/rules/windows/initial_access_suspicious_microsoft_onenote_child_process.toml	84
behavior/rules/windows/initial_access_suspicious_ms_office_execution_via_dcom.toml	65
behavior/rules/windows/initial_access_suspicious_network_connection_from_microsoft_equation_editor.toml	56
behavior/rules/windows/initial_access_suspicious_registry_modification_via_wmi.toml	197
behavior/rules/windows/initial_access_suspicious_shortcut_file_overwrite.toml	61
behavior/rules/windows/initial_access_suspicious_virtualprotect_via_jscript9_from_internet_explorer.toml	112
behavior/rules/windows/initial_access_untrusted_document_opened_via_microsoft_office.toml	121
behavior/rules/windows/initial_access_untrusted_file_execution_via_microsoft_office.toml	49
behavior/rules/windows/initial_access_windows_command_shell_spawned_via_microsoft_office.toml	93
behavior/rules/windows/initial_access_wmi_image_load_via_microsoft_office.toml	85
behavior/rules/windows/initial_access_wps_office_exploit_via_dll_hijack.toml	50
behavior/rules/windows/lateral_movement_execution_of_a_file_dropped_from_smb.toml	172
behavior/rules/windows/lateral_movement_execution_of_a_file_dropped_from_smb_via_services.toml	181
behavior/rules/windows/lateral_movement_imageload_of_a_file_dropped_via_smb.toml	84
behavior/rules/windows/lateral_movement_lateral_execution_via_dcom_office_application.toml	41
behavior/rules/windows/lateral_movement_potential_lateral_movement_via_smbexec.toml	58
behavior/rules/windows/lateral_movement_potential_remote_execution_via_imsiserver.toml	54
behavior/rules/windows/lateral_movement_suspicious_nullsessionpipe_registry_modification.toml	64
behavior/rules/windows/lateral_movement_suspicious_process_execution_via_network_logon.toml	356
behavior/rules/windows/lateral_movement_unexpected_smb_connection_from_user_mode_process.toml	71
behavior/rules/windows/lateral_movement_unsigned_file_execution_via_network_logon.toml	58
behavior/rules/windows/lateral_movement_unusual_remote_desktop_client_process.toml	62
behavior/rules/windows/persistence_browser_native_messaging_registry_modification.toml	56
behavior/rules/windows/persistence_chromium_extension_loaded_from_unusual_parent.toml	74
behavior/rules/windows/persistence_component_object_model_registry_modification_by_a_low_reputation_process.toml	52
behavior/rules/windows/persistence_dual_persistence_via_startup_and_scheduled_task.toml	86
behavior/rules/windows/persistence_microsoft_office_addin_creation.toml	43
behavior/rules/windows/persistence_microsoft_office_addin_loaded.toml	58
behavior/rules/windows/persistence_network_connection_via_startup_item.toml	87
behavior/rules/windows/persistence_office_application_startup_via_template_file_modification.toml	57
behavior/rules/windows/persistence_persistence_via_a_process_from_a_removable_or_mounted_iso_device.toml	92
behavior/rules/windows/persistence_persistence_via_autodialdll_registry_modification.toml	43
behavior/rules/windows/persistence_persistence_via_bits_setnotifycmdline_method.toml	58
behavior/rules/windows/persistence_persistence_via_extensible_firmware_modification.toml	79
behavior/rules/windows/persistence_persistence_via_winsock_name_space_dll.toml	49
behavior/rules/windows/persistence_potential_execution_via_shortcut_modification.toml	62
behavior/rules/windows/persistence_registry_or_file_modification_from_suspicious_memory.toml	135
behavior/rules/windows/persistence_registry_persistence_via_microsoft_office_descendant_process.toml	98
behavior/rules/windows/persistence_registry_run_key_modified_by_unusual_process.toml	142
behavior/rules/windows/persistence_registry_run_key_prefixed_with_asterisk.toml	63
behavior/rules/windows/persistence_scheduled_task_by_a_low_reputation_process.toml	55
behavior/rules/windows/persistence_scheduled_task_creation_by_an_unusual_process.toml	160
behavior/rules/windows/persistence_scheduled_task_creation_from_suspicious_parent.toml	63
behavior/rules/windows/persistence_scheduled_task_creation_via_unsigned_parent.toml	55
behavior/rules/windows/persistence_scheduled_task_from_a_browser_or_compression_utility_descendant.toml	68
behavior/rules/windows/persistence_scheduled_task_from_a_removable_or_mounted_iso_device.toml	69
behavior/rules/windows/persistence_script_file_written_to_startup_folder.toml	41
behavior/rules/windows/persistence_script_interpreter_process_writing_to_commonly_abused_persistence_locations.toml	91
behavior/rules/windows/persistence_self_service_persistence_by_an_unsigned_process.toml	93
behavior/rules/windows/persistence_startup_persistence_by_a_low_reputation_process.toml	105
behavior/rules/windows/persistence_startup_persistence_from_a_browser_or_compression_utility_descendant.toml	100
behavior/rules/windows/persistence_startup_persistence_from_backed_rwx_memory.toml	65
behavior/rules/windows/persistence_startup_persistence_via_microsoft_office_descendant_process.toml	75
behavior/rules/windows/persistence_startup_persistence_via_unusual_process.toml	63
behavior/rules/windows/persistence_startup_persistence_via_windows_script_interpreter.toml	97
behavior/rules/windows/persistence_suspicious_api_from_an_unsigned_service_dll.toml	53
behavior/rules/windows/persistence_suspicious_browser_files_modification.toml	55
behavior/rules/windows/persistence_suspicious_browser_preferences_file_modification.toml	59
behavior/rules/windows/persistence_suspicious_component_object_model_registry_modification.toml	79
behavior/rules/windows/persistence_suspicious_execution_via_microsoft_exchange_transport_agent.toml	38
behavior/rules/windows/persistence_suspicious_image_file_execution_options_modification.toml	81
behavior/rules/windows/persistence_suspicious_scheduled_task_creation.toml	66
behavior/rules/windows/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml	69
behavior/rules/windows/persistence_suspicious_scheduled_task_registry_modification.toml	54
behavior/rules/windows/persistence_suspicious_service_imagepath_value.toml	42
behavior/rules/windows/persistence_suspicious_shortcut_modification.toml	85
behavior/rules/windows/persistence_suspicious_startup_persistence_via_a_windows_installer.toml	71
behavior/rules/windows/persistence_suspicious_string_value_written_to_registry_run_key.toml	146
behavior/rules/windows/persistence_suspicious_svchost_registry_modification.toml	57
behavior/rules/windows/persistence_suspicious_windows_authentication_registry_modification.toml	99
behavior/rules/windows/persistence_suspicious_windows_schedule_child_process.toml	167
behavior/rules/windows/persistence_suspicious_windows_service_dll_creation.toml	82
behavior/rules/windows/persistence_suspicious_wmi_event_consumer_subscription.toml	41
behavior/rules/windows/persistence_uncommon_persistence_via_registry_modification.toml	72
behavior/rules/windows/persistence_untrusted_process_writing_to_commonly_abused_persistence_locations.toml	71
behavior/rules/windows/persistence_unusual_file_written_or_modified_in_startup_folder.toml	90
behavior/rules/windows/persistence_unusual_startup_shell_folder_modification.toml	70
behavior/rules/windows/persistence_windows_service_configuration_hjack.toml	47
behavior/rules/windows/privilege_escalation_access_token_manipulation_via_child_process.toml	97
behavior/rules/windows/privilege_escalation_driver_dropped_by_untrusted_executable.toml	65
behavior/rules/windows/privilege_escalation_elevation_via_common_log_file_system_exploitation.toml	44
behavior/rules/windows/privilege_escalation_interactive_logon_by_a_suspicious_process.toml	84
behavior/rules/windows/privilege_escalation_kernel_driver_registered_via_ntloaddriver.toml	53
behavior/rules/windows/privilege_escalation_msi_rollback_script_file_by_unusual_process.toml	60
behavior/rules/windows/privilege_escalation_networkcleartext_logon_by_a_suspicious_process.toml	65
behavior/rules/windows/privilege_escalation_newcredential_logon_by_a_suspicious_process.toml	73
behavior/rules/windows/privilege_escalation_potential_common_log_file_system_exploit.toml	37
behavior/rules/windows/privilege_escalation_potential_common_log_file_system_vulnerability_exploitation.toml	39
behavior/rules/windows/privilege_escalation_potential_execution_via_token_theft.toml	110
behavior/rules/windows/privilege_escalation_potential_exploitation_via_comdotnet_exploit.toml	49
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_cve_2022_38028.toml	45
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_dll_redirection.toml	63
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation.toml	87
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_file_redirection.toml	99
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_localpotato_exploit.toml	43
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_logonui.toml	41
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_missing_dll.toml	97
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_msi_repair.toml	45
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_rogue_winrm.toml	56
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_token_impersonation.toml	91
behavior/rules/windows/privilege_escalation_potential_uac_bypass_via_ielevatedfactoryserver.toml	59
behavior/rules/windows/privilege_escalation_privilege_escalation_via_extended_startupinfo.toml	108
behavior/rules/windows/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml	44
behavior/rules/windows/privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml	50
behavior/rules/windows/privilege_escalation_privilege_escalation_via_seimpersonateprivilege.toml	94
behavior/rules/windows/privilege_escalation_privilege_escalation_via_windir_or_systemroot_environment_variable.toml	43
behavior/rules/windows/privilege_escalation_privilege_escalation_via_windows_installer_hijack.toml	64
behavior/rules/windows/privilege_escalation_process_creation_via_secondary_logon.toml	58
behavior/rules/windows/privilege_escalation_suspicious_execution_as_system_via_windows_command_shell.toml	48
behavior/rules/windows/privilege_escalation_suspicious_execution_via_windows_services.toml	200
behavior/rules/windows/privilege_escalation_suspicious_impersonation_as_trusted_installer.toml	113
behavior/rules/windows/privilege_escalation_suspicious_kernel_mode_address_manipulation.toml	42
behavior/rules/windows/privilege_escalation_suspicious_ntoskrnl_image_load.toml	44
behavior/rules/windows/privilege_escalation_suspicious_registry_symbolic_link.toml	52
behavior/rules/windows/privilege_escalation_suspicious_windows_service_execution.toml	47
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_cdssync_scheduled_task_hijack.toml	60
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_consent_dll_search_order_hijacking.toml	75
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dccw_dll_search_order_hijacking.toml	76
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dismcore_dll_side_loading.toml	70
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dll_side_loading_from_windows_media_player_folder.toml	59
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_elevated_com_internet_explorer_add_on_installer.toml	45
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_mmc_dll_search_order_hijacking.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_silentcleanup_task_dll_search_order_hijacking.toml	57
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_windows_directory_masquerading.toml	45
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_wow64_logger_dll_side_loading.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_with_ieditionupgrademanager_elevated_com_interface.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_computerdefaults_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_control_panel_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_delegateexecute_registry_modification.toml	66
behavior/rules/windows/privilege_escalation_uac_bypass_via_diskcleanup_scheduled_task_hijack.toml	50
behavior/rules/windows/privilege_escalation_uac_bypass_via_event_viewer.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_via_fodhelper_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_hijacking_winmgmt_mmc.toml	66
behavior/rules/windows/privilege_escalation_uac_bypass_via_icmluautil_elevated_com_interface.toml	53
behavior/rules/windows/privilege_escalation_uac_bypass_via_malicious_mmc_snap_in_execution.toml	47
behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml	50
behavior/rules/windows/privilege_escalation_uac_bypass_via_unsafe_deserialization_in_event_viewer.toml	58
behavior/rules/windows/privilege_escalation_uac_bypass_via_windows_activation_execution_hijack.toml	54
behavior/rules/windows/privilege_escalation_uac_bypass_via_windows_firewall_snap_in_hijack.toml	64
behavior/rules/windows/privilege_escalation_uac_bypass_via_wsreset_execution_hijack.toml	53
behavior/rules/windows/privilege_escalation_unsigned_dll_loaded_from_fake_windows_directory.toml	63
behavior/rules/windows/privilege_escalation_untrusted_dll_loaded_by_a_system_windows_process.toml	69
behavior/rules/windows/privilege_escalation_unusual_child_process_integrity_level.toml	59
behavior/rules/windows/privilege_escalation_unusual_desktop_window_manager_child_process.toml	44
behavior/rules/windows/privilege_escalation_unusual_privilege_escalation_to_system.toml	59