Path	Lines of Code
behavior/rules/cross-platform/defense_evasion_kill_command_executed_from_a_hidden_process.toml	60
behavior/rules/cross-platform/defense_evasion_tampering_of_bash_command_line_history.toml	51
behavior/rules/cross-platform/execution_eggshell_backdoor_execution.toml	34
behavior/rules/cross-platform/execution_empire_stager_execution.toml	56
behavior/rules/cross-platform/execution_kill_command_executed_from_binary_in_unusual_location.toml	61
behavior/rules/cross-platform/execution_potential_reverse_shell_activity_via_terminal.toml	59
behavior/rules/cross-platform/execution_privilege_escalation_enumeration_via_linpeas.toml	41
behavior/rules/cross-platform/impact_darkradiation_ransomware_infection.toml	42
behavior/rules/cross-platform/impact_suspicious_recursive_file_deletion_via_built_in_utilities.toml	47
behavior/rules/cross-platform/persistence_potential_persistence_via_direct_crontab_modification.toml	81
behavior/rules/cross-platform/privilege_escalation_sudo_heap_based_buffer_overflow_attempt.toml	57
behavior/rules/linux/command_and_control_curl_socks_proxy_activity_from_unusual_parent.toml	50
behavior/rules/linux/command_and_control_egress_network_connection_followed_by_command_execution.toml	83
behavior/rules/linux/command_and_control_file_downloaded_via_curl_or_wget_to_hidden_directory.toml	63
behavior/rules/linux/command_and_control_hidden_executable_initiated_egress_network_connection.toml	49
behavior/rules/linux/command_and_control_hidden_process_execution_followed_by_network_connection.toml	48
behavior/rules/linux/command_and_control_network_activity_detected_via_cat.toml	52
behavior/rules/linux/command_and_control_network_connection_by_foomatic_rip_child.toml	65
behavior/rules/linux/command_and_control_network_connection_followed_by_file_creation.toml	83
behavior/rules/linux/command_and_control_potential_multi_architecture_file_downloads.toml	56
behavior/rules/linux/command_and_control_potential_vsingle_malware_infection.toml	36
behavior/rules/linux/command_and_control_python_network_connection_followed_by_command_execution.toml	91
behavior/rules/linux/command_and_control_python_network_connection_followed_by_file_creation.toml	86
behavior/rules/linux/credential_access_linux_init_(pid_1)_secret_dump_via_gdb.toml	38
behavior/rules/linux/credential_access_manual_memory_password_searching_activity.toml	41
behavior/rules/linux/credential_access_potential_linux_credential_dumping_via_proc_filesystem.toml	44
behavior/rules/linux/credential_access_potential_linux_credential_dumping_via_unshadow.toml	39
behavior/rules/linux/defense_evasion_auditctl_disabled_via_shell_process.toml	41
behavior/rules/linux/defense_evasion_base64_or_xxd_decode_argument_evasion.toml	66
behavior/rules/linux/defense_evasion_base64_shebang_payload_decoded_via_built_in_utility.toml	81
behavior/rules/linux/defense_evasion_binary_executed_from_shared_memory_directory.toml	42
behavior/rules/linux/defense_evasion_chattr_execution_from_unusual_parent.toml	45
behavior/rules/linux/defense_evasion_chattr_execution_with_unusual_target_file.toml	71
behavior/rules/linux/defense_evasion_cron(d)_service_started_by_unusual_parent.toml	71
behavior/rules/linux/defense_evasion_curl_or_wget_egress_network_connection_via_lolbin.toml	108
behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml	48
behavior/rules/linux/defense_evasion_defense_evasion_via_hidepid_mount.toml	52
behavior/rules/linux/defense_evasion_egress_network_connection_from_deleted_executable.toml	60
behavior/rules/linux/defense_evasion_execution_of_in_memory_file_via_interactive_session.toml	63
behavior/rules/linux/defense_evasion_global_dynamic_linker_file_copied.toml	73
behavior/rules/linux/defense_evasion_linux_base64_descendant_egress_network_connection.toml	82
behavior/rules/linux/defense_evasion_linux_compilation_in_suspicious_directory.toml	40
behavior/rules/linux/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml	46
behavior/rules/linux/defense_evasion_linux_hidden_file_mounted.toml	50
behavior/rules/linux/defense_evasion_linux_payload_decoded_and_decrypted_via_built_in_utility.toml	84
behavior/rules/linux/defense_evasion_linux_shared_object_load_via_ssh_keygen.toml	39
behavior/rules/linux/defense_evasion_network_activity_from_in_memory_file.toml	67
behavior/rules/linux/defense_evasion_potential_masquerading_via__proc_self_exe.toml	36
behavior/rules/linux/defense_evasion_potential_nologin_ssh_backdoor.toml	40
behavior/rules/linux/defense_evasion_potential_process_injection_via_dd.toml	54
behavior/rules/linux/defense_evasion_potential_process_masquerading_via_exec.toml	68
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_crash.toml	52
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_php.toml	68
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_pidstat.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_run_parts.toml	75
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_sed.toml	55
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_split.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_sysctl.toml	51
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_systemd_run.toml	70
behavior/rules/linux/defense_evasion_potential_proxy_execution_via_tcpdump.toml	53
behavior/rules/linux/defense_evasion_process_masquerading_as_kernel_process.toml	57
behavior/rules/linux/defense_evasion_process_path_symbolic_link_manipulation.toml	37
behavior/rules/linux/defense_evasion_proxy_shell_execution_via_busybox.toml	54
behavior/rules/linux/defense_evasion_shared_object_file_creation_and_immediate_preload.toml	77
behavior/rules/linux/defense_evasion_shared_object_injection_via_process_environment_variable.toml	114
behavior/rules/linux/defense_evasion_shared_object_load_via_lolbin.toml	71
behavior/rules/linux/defense_evasion_shell_command_execution_via_kworker.toml	55
behavior/rules/linux/defense_evasion_shell_execution_of_non_executable_file.toml	52
behavior/rules/linux/defense_evasion_suspicious_base64_string_command_line.toml	94
behavior/rules/linux/defense_evasion_system_binary_preload_and_immediate_network_connection.toml	70
behavior/rules/linux/defense_evasion_system_binary_proxy_execution_via_ld.so.toml	55
behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml	68
behavior/rules/linux/discovery_linux_external_ip_address_discovery_via_curl.toml	62
behavior/rules/linux/execution_bind_shell_via_netcat_traditional.toml	53
behavior/rules/linux/execution_bind_shell_via_node.toml	51
behavior/rules/linux/execution_bind_shell_via_socket.toml	51
behavior/rules/linux/execution_file_creation_by_foomatic_rip_child.toml	51
behavior/rules/linux/execution_foomatic_rip_shell_execution.toml	51
behavior/rules/linux/execution_interactive_shell_spawned_via_hidden_process.toml	50
behavior/rules/linux/execution_linux_background_process_execution_via_shell.toml	42
behavior/rules/linux/execution_linux_hidden_folder_or_file_execution_via_python.toml	43
behavior/rules/linux/execution_linux_powershell_egress_network_connection.toml	81
behavior/rules/linux/execution_linux_powershell_encoded_command.toml	48
behavior/rules/linux/execution_linux_powershell_suspicious_child_process.toml	43
behavior/rules/linux/execution_linux_reverse_shell.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_child.toml	53
behavior/rules/linux/execution_linux_reverse_shell_via_netcat.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_setsid_and_nohup.toml	60
behavior/rules/linux/execution_linux_reverse_shell_via_suspicious_utility.toml	79
behavior/rules/linux/execution_linux_suspicious_child_process_execution_via_interactive_shell.toml	57
behavior/rules/linux/execution_netcat_reverse_shell_via_busybox.toml	72
behavior/rules/linux/execution_potential_gsocket_activity.toml	58
behavior/rules/linux/execution_potential_linux_hack_tool_launched.toml	44
behavior/rules/linux/execution_potential_linux_reverse_shell_via_java.toml	81
behavior/rules/linux/execution_potential_reverse_shell_via_named_pipe.toml	84
behavior/rules/linux/execution_printer_user_(lp)_shell_execution.toml	53
behavior/rules/linux/execution_renice_or_ulimit_execution_from_unusual_parent.toml	51
behavior/rules/linux/execution_reverse_or_bind_shell_via_suspicious_utility.toml	58
behavior/rules/linux/execution_reverse_shell_via_networkmanager_dispatcher_script.toml	64
behavior/rules/linux/execution_script_executed_through_unusual_parent_process.toml	56
behavior/rules/linux/execution_shell_via_networkmanager_dispatcher_script.toml	51
behavior/rules/linux/execution_suspicious_command_execution_via_busybox_proxy.toml	73
behavior/rules/linux/execution_suspicious_d_bus_method_call.toml	55
behavior/rules/linux/execution_suspicious_execution_from_foomatic_rip_or_cupsd_parent.toml	68
behavior/rules/linux/execution_suspicious_execution_via_a_hidden_process.toml	63
behavior/rules/linux/execution_suspicious_execution_via_setsid_and_nohup.toml	50
behavior/rules/linux/execution_suspicious_mining_process_events.toml	46
behavior/rules/linux/execution_unusual_execution_from__dev_parent.toml	47
behavior/rules/linux/execution_user_discovery_command_execution_from_shared_memory.toml	47
behavior/rules/linux/impact_msr_write_access_enabled.toml	53
behavior/rules/linux/impact_potential_coin_miner_execution.toml	72
behavior/rules/linux/impact_potential_coin_miner_execution_via_shell.toml	68
behavior/rules/linux/impact_potential_mining_pool_command_detection.toml	73
behavior/rules/linux/initial_access_remote_code_execution_via_confluence_ognl_injection.toml	41
behavior/rules/linux/lateral_movement_potential_ssh_it_ssh_worm_downloaded.toml	48
behavior/rules/linux/persistence_apt_package_manager_command_execution.toml	93
behavior/rules/linux/persistence_apt_package_manager_egress_network_connection.toml	90
behavior/rules/linux/persistence_at_utility_launched_through_udevadm.toml	62
behavior/rules/linux/persistence_binary_execution_from_unusual_location_through_shell_profile.toml	62
behavior/rules/linux/persistence_decode_activity_via_web_server.toml	108
behavior/rules/linux/persistence_egress_connection_by_a_dnf_package_manager_descendant.toml	92
behavior/rules/linux/persistence_egress_connection_by_a_yum_package_manager_descendant.toml	81
behavior/rules/linux/persistence_egress_network_connection_by_motd_child.toml	80
behavior/rules/linux/persistence_egress_network_connection_from_default_dpkg_directory.toml	96
behavior/rules/linux/persistence_egress_network_connection_from_rpm_package.toml	99
behavior/rules/linux/persistence_file_downloaded_and_piped_to_interpreter_by_web_server.toml	80
behavior/rules/linux/persistence_file_downloaded_from_suspicious_source_by_web_server.toml	82
behavior/rules/linux/persistence_file_downloaded_to_suspicious_location_by_web_server.toml	90
behavior/rules/linux/persistence_hidden_payload_executed_via_scheduled_job.toml	121
behavior/rules/linux/persistence_linux_backdoor_network_access_via_unusual_process.toml	57
behavior/rules/linux/persistence_motd_execution_followed_by_egress_network_connection.toml	90
behavior/rules/linux/persistence_network_connection_through_shell_profile.toml	89
behavior/rules/linux/persistence_potential_web_server_directory_traversal.toml	82
behavior/rules/linux/persistence_reverse_shell_executed_via_web_server.toml	91
behavior/rules/linux/persistence_scheduled_job_executing_binary_in_unusual_location.toml	91
behavior/rules/linux/persistence_scheduled_task_unusual_command_execution.toml	115
behavior/rules/linux/persistence_suspicious_download_and_redirect_by_web_server.toml	92
behavior/rules/linux/persistence_suspicious_echo_execution.toml	165
behavior/rules/linux/persistence_suspicious_file_creation_via_web_server.toml	94
behavior/rules/linux/persistence_suspicious_message_of_the_day_execution.toml	68
behavior/rules/linux/persistence_suspicious_process_spawned_from_motd_detected.toml	64
behavior/rules/linux/persistence_system_v_init_(init.d)_egress_network_connection.toml	66
behavior/rules/linux/persistence_system_v_init_(init.d)_executed_binary_from_unusual_location.toml	46
behavior/rules/linux/persistence_systemd_execution_followed_by_network_connection.toml	113
behavior/rules/linux/persistence_udev_execution_followed_by_egress_network_connection.toml	86
behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml	119
behavior/rules/linux/privilege_escalation_cve_2023_0386_exploitation_attempt.toml	41
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_cve_2023_4911.toml	37
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_fuse_binary.toml	38
behavior/rules/linux/privilege_escalation_potential_privilege_escalation_via_overlayfs.toml	39
behavior/rules/linux/privilege_escalation_potential_sudo_privilege_escalation_via_cve_2019_14287.toml	34
behavior/rules/linux/privilege_escalation_privilege_escalation_via_pkexec_exploitation.toml	40
behavior/rules/linux/privilege_escalation_privilege_escalation_via_polkit_system_service.toml	49
behavior/rules/macos/collection_clipboard_accessed_by_unsigned_or_untrusted_binary.toml	41
behavior/rules/macos/collection_discovery_result_written_to_a_suspicious_file_via_discovery_process.toml	54
behavior/rules/macos/collection_exfiltration_data_staging_in_temporary_directory_via_osascript.toml	40
behavior/rules/macos/collection_pbpaste_execution_via_unusual_parent.toml	37
behavior/rules/macos/collection_potential_data_collection_in_temporary_directory_by_hidden_executable.toml	45
behavior/rules/macos/collection_sensitive_file_access_followed_by_compression.toml	55
behavior/rules/macos/collection_suspicious_archive_creation_via_ditto.toml	49
behavior/rules/macos/collection_suspicious_image_creation_via_screencapture.toml	49
behavior/rules/macos/command_and_control_curl_download_and_osascript_payload_execution_via_node.toml	44
behavior/rules/macos/command_and_control_curl_executable_file_download_via_osascript.toml	37
behavior/rules/macos/command_and_control_curl_execution_via_apple_installer_package.toml	40
behavior/rules/macos/command_and_control_curl_execution_via_application_shell_script.toml	54
behavior/rules/macos/command_and_control_curl_execution_via_automator_application.toml	42
behavior/rules/macos/command_and_control_curl_execution_via_commandline_shell_script.toml	49
behavior/rules/macos/command_and_control_curl_execution_via_env_binary.toml	42
behavior/rules/macos/command_and_control_curl_from_volume_mount.toml	41
behavior/rules/macos/command_and_control_curl_local_file_read_or_write_via_osascript.toml	35
behavior/rules/macos/command_and_control_curl_to_ftp_server_via_raw_ip.toml	34
behavior/rules/macos/command_and_control_curl_to_suspicious_top_level_domain.toml	51
behavior/rules/macos/command_and_control_curl_to_telegram_api.toml	43
behavior/rules/macos/command_and_control_executable_file_access_or_modification_via_osascript.toml	33
behavior/rules/macos/command_and_control_hidden_file_network_connection_and_executable_download.toml	38
behavior/rules/macos/command_and_control_network_connection_to_oast_domain_via_package_service_or_script.toml	39
behavior/rules/macos/command_and_control_osascript_download_cradle_spawned.toml	44
behavior/rules/macos/command_and_control_osascript_payload_drop_and_execute.toml	45
behavior/rules/macos/command_and_control_potential_payload_download_via_applescript_applet.toml	59
behavior/rules/macos/command_and_control_potential_wizardupdate_malware_infection.toml	36
behavior/rules/macos/command_and_control_potential_xcsset_malware_infection.toml	36
behavior/rules/macos/command_and_control_python_outbound_network_connection_over_ftp.toml	40
behavior/rules/macos/command_and_control_shlayer_malware_infection.toml	42
behavior/rules/macos/command_and_control_suspicious_archive_file_download_via_curl.toml	50
behavior/rules/macos/command_and_control_suspicious_binary_aws_s3_connection.toml	41
behavior/rules/macos/command_and_control_suspicious_curl_file_download_from_raw_ip.toml	45
behavior/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml	48
behavior/rules/macos/command_and_control_suspicious_curl_to_google_app_script_endpoint.toml	40
behavior/rules/macos/command_and_control_suspicious_curl_to_oast_domain.toml	37
behavior/rules/macos/command_and_control_suspicious_executable_download_via_curl.toml	37
behavior/rules/macos/command_and_control_suspicious_executable_download_via_ruby.toml	43
behavior/rules/macos/command_and_control_suspicious_file_download_via_google_drive.toml	62
behavior/rules/macos/command_and_control_suspicious_hidden_executable_and_immediate_network_connection.toml	45
behavior/rules/macos/command_and_control_suspicious_network_connection_to_gmail_via_nodejs.toml	58
behavior/rules/macos/command_and_control_suspicious_url_as_argument_to_self_signed_binary.toml	48
behavior/rules/macos/command_and_control_suspicious_vscode_extension_child_process.toml	41
behavior/rules/macos/command_and_control_url_as_argument_to_python_script_and_immediate_network_connection.toml	49
behavior/rules/macos/command_and_control_url_as_process_argument_via_installer_package.toml	49
behavior/rules/macos/credential_access_cloud_credential_files_accessed_by_osascript.toml	41
behavior/rules/macos/credential_access_cloud_credential_files_accessed_by_process_in_suspicious_directory.toml	63
behavior/rules/macos/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml	62
behavior/rules/macos/credential_access_crypto_wallet_file_access_via_commandline.toml	61
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_nodejs.toml	66
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_osascript.toml	65
behavior/rules/macos/credential_access_crypto_wallet_or_web_browser_file_access_via_python.toml	65
behavior/rules/macos/credential_access_dumping_account_hashes_via_built_in_commands.toml	37
behavior/rules/macos/credential_access_kerberos_config_file_accessed_by_osascript.toml	37
behavior/rules/macos/credential_access_kerberos_config_file_accessed_by_untrusted_or_unsigned_process.toml	38
behavior/rules/macos/credential_access_keychain_credential_files_collected_via_archive_utility.toml	71
behavior/rules/macos/credential_access_keychain_dump_via_native_security_tool.toml	50
behavior/rules/macos/credential_access_potential_access_to_kerberos_cached_credentials.toml	41
behavior/rules/macos/credential_access_potential_credentials_phishing_via_osascript.toml	54
behavior/rules/macos/credential_access_slack_workspace_files_accessed_by_osascript.toml	45
behavior/rules/macos/credential_access_slack_workspace_files_accessed_by_unsigned_or_untrusted_process.toml	45
behavior/rules/macos/credential_access_ssh_keys_accessed_by_osascript.toml	40
behavior/rules/macos/credential_access_suspicious_user_keychain_access_via_nodejs.toml	48
behavior/rules/macos/credential_access_suspicious_user_keychain_db_access_by_unsigned_binary.toml	42
behavior/rules/macos/credential_access_systemkey_access_via_command_line.toml	43
behavior/rules/macos/credential_access_telegram_data_accessed_by_osascript.toml	41
behavior/rules/macos/credential_access_telegram_data_accessed_by_unsigned_or_untrusted_process.toml	41
behavior/rules/macos/credential_access_user_keychain_access_in_unusual_location.toml	44
behavior/rules/macos/credential_access_user_keychain_copied_via_shell_interpreter.toml	44
behavior/rules/macos/credential_access_user_keychain_db_access_by_osascript.toml	39
behavior/rules/macos/credential_access_user_keychain_db_access_by_self_signed_binary.toml	51
behavior/rules/macos/credential_access_web_browser_credential_data_accessed_by_osascript.toml	45
behavior/rules/macos/credential_access_web_browser_credential_data_accessed_by_unsigned_or_untrusted_process.toml	48
behavior/rules/macos/credential_access_web_browsers_password_access_via_command_line.toml	46
behavior/rules/macos/defense_evasion_applescript_decoded_via_base64.toml	43
behavior/rules/macos/defense_evasion_base64_encoded_string_execution_via_osascript.toml	59
behavior/rules/macos/defense_evasion_decoded_or_decrypted_payload_written_to_suspicious_directory.toml	94
behavior/rules/macos/defense_evasion_dylib_injection_via_process_environment_variables.toml	100
behavior/rules/macos/defense_evasion_dylib_load_via_ssh_keygen.toml	32
behavior/rules/macos/defense_evasion_dylib_loaded_by_process_in_suspicious_location.toml	51
behavior/rules/macos/defense_evasion_elastic_endpoint_security_kernel_extension_unload.toml	51
behavior/rules/macos/defense_evasion_embedded_payload_dropped_and_executed.toml	44
behavior/rules/macos/defense_evasion_executable_file_creation_via_base64.toml	44
behavior/rules/macos/defense_evasion_execution_of_a_file_dropped_by_openssl.toml	53
behavior/rules/macos/defense_evasion_execution_of_hidden_file_from_the_shared_directory.toml	46
behavior/rules/macos/defense_evasion_execution_of_non_executable_file_via_shell.toml	53
behavior/rules/macos/defense_evasion_file_hidden_via_chflags.toml	39
behavior/rules/macos/defense_evasion_file_hidden_via_setfile.toml	44
behavior/rules/macos/defense_evasion_file_made_executable_via_package_install_script.toml	63
behavior/rules/macos/defense_evasion_in_memory_jxa_execution_via_scriptingadditions.toml	50
behavior/rules/macos/defense_evasion_killall_execution_via_python.toml	32
behavior/rules/macos/defense_evasion_launchpad_hijack.toml	56
behavior/rules/macos/defense_evasion_mach_o_file_with_unusual_extension.toml	46
behavior/rules/macos/defense_evasion_macos_hidden_file_mounted.toml	50
behavior/rules/macos/defense_evasion_modification_of_safari_settings_via_defaults_command.toml	38
behavior/rules/macos/defense_evasion_network_file_unzipped_via_unsigned_or_untrusted_binary.toml	56
behavior/rules/macos/defense_evasion_notificationcenter_silenced_via_killall_binary.toml	45
behavior/rules/macos/defense_evasion_operating_system_security_updates_disabled.toml	39
behavior/rules/macos/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml	70
behavior/rules/macos/defense_evasion_potential_binary_masquerading_via_invalid_code_signature.toml	51
behavior/rules/macos/defense_evasion_potential_masquerading_as_system_binary.toml	55
behavior/rules/macos/defense_evasion_potential_privacy_control_bypass_via_localhost_secure_copy.toml	48
behavior/rules/macos/defense_evasion_potential_tcc_bypass_via_electron_web_inspector_api.toml	44
behavior/rules/macos/defense_evasion_quarantine_attribute_deleted_via_untrusted_binary.toml	51
behavior/rules/macos/defense_evasion_quarantine_attribute_removal_via_textedit.toml	52
behavior/rules/macos/defense_evasion_quarantine_attribute_removed_by_unsigned_or_unstrusted_process.toml	55
behavior/rules/macos/defense_evasion_reading_or_modifying_downloaded_files_database_via_sqlite_utility.toml	31
behavior/rules/macos/defense_evasion_reflective_dylib_load.toml	73
behavior/rules/macos/defense_evasion_suspicious_deobfuscation_via_shell_script.toml	43
behavior/rules/macos/defense_evasion_suspicious_dmg_file_creation_in_tmp_directory.toml	53
behavior/rules/macos/defense_evasion_suspicious_executable_copied_from_volume_mount.toml	47
behavior/rules/macos/defense_evasion_suspicious_file_attribute_clearing.toml	44
behavior/rules/macos/defense_evasion_suspicious_file_overwrite_and_modification_via_echo.toml	69
behavior/rules/macos/defense_evasion_suspicious_file_quarantine_removal_via_find.toml	44
behavior/rules/macos/defense_evasion_suspicious_finder_cache_file_modification.toml	38
behavior/rules/macos/defense_evasion_suspicious_macos_application_hidden_executable_file.toml	41
behavior/rules/macos/defense_evasion_suspicious_openssl_execution_via_macos_application.toml	74
behavior/rules/macos/defense_evasion_suspicious_stop_of_tccd_via_launchctl.toml	54
behavior/rules/macos/defense_evasion_suspicious_task_for_pid_system_call.toml	62
behavior/rules/macos/defense_evasion_suspicious_unload_of_elastic_agent_via_launchctl.toml	74
behavior/rules/macos/defense_evasion_tccutil_reset_via_suspicious_binary.toml	41
behavior/rules/macos/defense_evasion_terminal_closed_with_pkill_or_killall.toml	45
behavior/rules/macos/defense_evasion_terminal_window_hidden_or_closed_via_osascript.toml	42
behavior/rules/macos/defense_evasion_unsigned_or_untrusted_process_execution_and_immediate_self_deletion.toml	44
behavior/rules/macos/defense_evasion_unusual_dylib_load_from_users_shared_directory.toml	37
behavior/rules/macos/discovery_external_ip_address_discovery_via_curl.toml	93
behavior/rules/macos/discovery_potential_virtual_machine_fingerprinting_via_grep.toml	46
behavior/rules/macos/discovery_security_software_discovery_via_grep.toml	66
behavior/rules/macos/discovery_suspicious_sip_check_by_macos_application.toml	49
behavior/rules/macos/execution_abnormal_auval_child_process_execution.toml	51
behavior/rules/macos/execution_arbitrary_python_code_execution_via_nodejs.toml	39
behavior/rules/macos/execution_background_process_execution_via_shell.toml	57
behavior/rules/macos/execution_cocoa_applet_binary_execution.toml	45
behavior/rules/macos/execution_code_editor_untrusted_or_unsigned_child_process_execution.toml	52
behavior/rules/macos/execution_command_execution_via_screen_session.toml	43
behavior/rules/macos/execution_curl_download_and_execution_of_javascript_payload.toml	51
behavior/rules/macos/execution_decoy_document_creation_via_curl.toml	41
behavior/rules/macos/execution_disown_execution_via_shell_command_from_volume_mount.toml	44
behavior/rules/macos/execution_dscl_execution_via_osascript.toml	49
behavior/rules/macos/execution_executable_file_extracted_to_temporary_directory.toml	56
behavior/rules/macos/execution_execution_of_javascript_payload_via_osascript.toml	45
behavior/rules/macos/execution_execution_of_javascript_payload_via_python.toml	46
behavior/rules/macos/execution_execution_of_self_signed_binary_from_volume_mount.toml	45
behavior/rules/macos/execution_execution_via_electron_child_process_node.js_module.toml	55
behavior/rules/macos/execution_file_cloned_by_unsigned_or_untrusted_process.toml	36
behavior/rules/macos/execution_hidden_folder_or_file_access_in_tmp_via_python.toml	49
behavior/rules/macos/execution_hidden_python_script_execution_via_nodejs.toml	58
behavior/rules/macos/execution_initial_access_discovery_via_applet_executable.toml	48
behavior/rules/macos/execution_initial_access_via_audio_unit_plug_in.toml	55
behavior/rules/macos/execution_initial_access_via_macos_installer_package.toml	202
behavior/rules/macos/execution_initial_access_via_osa_shell_script_piped_to_python_interpreter.toml	57
behavior/rules/macos/execution_lone_binary_execution_from_volume_mount.toml	36
behavior/rules/macos/execution_macos_interactive_shell_spawned_via_hidden_process.toml	42
behavior/rules/macos/execution_nohup_execution_followed_by_outbound_network_connection.toml	77
behavior/rules/macos/execution_osa_script_execution_via_unsigned_or_untrusted_parent.toml	44
behavior/rules/macos/execution_osascript_execution_via_piped_applescript.toml	41
behavior/rules/macos/execution_payload_delivery_via_curl_and_immediate_execution.toml	55
behavior/rules/macos/execution_payload_piped_to_script_interpreter.toml	55
behavior/rules/macos/execution_possible_java_reverse_shell.toml	50
behavior/rules/macos/execution_potential_decoy_document_via_open.toml	47
behavior/rules/macos/execution_potential_python_reverse_shell.toml	57
behavior/rules/macos/execution_powershell_encoded_command.toml	51
behavior/rules/macos/execution_powershell_outbound_network_connection.toml	47
behavior/rules/macos/execution_python_initial_access_via_google_drive.toml	62
behavior/rules/macos/execution_python_script_execution_via_shell_and_remote_network_connection.toml	58
behavior/rules/macos/execution_shell_script_execution_from_abnormal_volume_mount_path.toml	49
behavior/rules/macos/execution_suspicious_apple_script_execution.toml	46
behavior/rules/macos/execution_suspicious_audio_unit_plug_in_file_access.toml	45
behavior/rules/macos/execution_suspicious_automator_application_execution.toml	45
behavior/rules/macos/execution_suspicious_automator_workflows_execution.toml	39
behavior/rules/macos/execution_suspicious_child_process_execution_via_interactive_shell.toml	53
behavior/rules/macos/execution_suspicious_child_process_of_expect.toml	45
behavior/rules/macos/execution_suspicious_codesign_execution_via_osacompile.toml	44
behavior/rules/macos/execution_suspicious_dscl_auth_validation.toml	55
behavior/rules/macos/execution_suspicious_dylib_load_from_temporary_directory.toml	51
behavior/rules/macos/execution_suspicious_electron_command_execution.toml	44
behavior/rules/macos/execution_suspicious_elevated_command_execution.toml	44
behavior/rules/macos/execution_suspicious_execution_of_unsigned_or_untrusted_process_via_sudo.toml	47
behavior/rules/macos/execution_suspicious_installer_remote_plugin_service_child_process.toml	44
behavior/rules/macos/execution_suspicious_interactive_shell_execution.toml	47
behavior/rules/macos/execution_suspicious_large_script_execution_via_shell_command.toml	47
behavior/rules/macos/execution_suspicious_network_connection_via_installer_package.toml	63
behavior/rules/macos/execution_suspicious_powershell_child_process.toml	42
behavior/rules/macos/execution_suspicious_python_package_child_process_execution.toml	57
behavior/rules/macos/execution_suspicious_python_script_execution_and_network_connection.toml	55
behavior/rules/macos/execution_suspicious_script_compilation_via_osacompile.toml	43
behavior/rules/macos/execution_suspicious_script_or_process_execution_from_mounted_device.toml	67
behavior/rules/macos/execution_suspicious_terminal_child_process_execution.toml	57
behavior/rules/macos/execution_suspicious_unsigned_application_execution_via_shell.toml	44
behavior/rules/macos/execution_suspicious_xpc_service_child_process.toml	68
behavior/rules/macos/execution_tclsh_execution_followed_by_immediate_network_connection.toml	41
behavior/rules/macos/execution_temporary_binary_execution_via_osascript.toml	41
behavior/rules/macos/execution_unsigned_or_untrusted_application_launch_via_xpc.toml	55
behavior/rules/macos/execution_unsigned_or_untrusted_binary_execution_via_xpc_call.toml	51
behavior/rules/macos/execution_untrusted_or_unsigned_binary_execution_via_osascript.toml	42
behavior/rules/macos/execution_untrusted_process_execution_with_invalid_plist_or_code_signature.toml	46
behavior/rules/macos/execution_unusual_bundle_execution_via_shell.toml	44
behavior/rules/macos/execution_unusually_large_osa_script_execution_via_shell_command.toml	50
behavior/rules/macos/execution_unusually_large_script_executed_by_osascript.toml	42
behavior/rules/macos/execution_user_discovery_command_execution_from_volume_mount.toml	55
behavior/rules/macos/execution_user_tcc_db_access_by_osascript.toml	52
behavior/rules/macos/execution_user_tcc_db_access_by_unsigned_or_untrusted_process.toml	50
behavior/rules/macos/execution_volume_muted_via_osascript.toml	40
behavior/rules/macos/exfiltration_potential_data_exfiltration_via_curl.toml	55
behavior/rules/macos/initial_access_initial_access_or_execution_via_microsoft_office_application.toml	172
behavior/rules/macos/initial_access_suspicious_execution_via_macos_script_editor.toml	81
behavior/rules/macos/lateral_movement_potential_kerberos_attack_via_bifrost.toml	55
behavior/rules/macos/persistence_at_job_creation_or_modification_via_shell_command.toml	60
behavior/rules/macos/persistence_cron_tab_creation_or_modification_via_shell_command.toml	60
behavior/rules/macos/persistence_default_application_hijacking.toml	41
behavior/rules/macos/persistence_dock_tile_plug_in_load.toml	39
behavior/rules/macos/persistence_initial_access_staging_via_installer_package.toml	55
behavior/rules/macos/persistence_manual_loading_of_a_suspicious_chromium_extension.toml	48
behavior/rules/macos/persistence_new_system_kext_file_and_immediate_load_via_kextload.toml	59
behavior/rules/macos/persistence_persistence_via_a_hidden_plist_filename.toml	73
behavior/rules/macos/persistence_persistence_via_a_masqueraded_plist_filename.toml	75
behavior/rules/macos/persistence_persistence_via_suspicious_launch_agent_or_launch_daemon.toml	128
behavior/rules/macos/persistence_potential_persistence_via_emond.toml	68
behavior/rules/macos/persistence_screensaver_plist_file_modified_by_unexpected_process.toml	58
behavior/rules/macos/persistence_suspicious_apple_mail_rule_plist_creation_or_modification.toml	45
behavior/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml	69
behavior/rules/macos/persistence_suspicious_startupitem_plist_creation_or_modification.toml	43
behavior/rules/macos/persistence_unexpected_child_process_of_macos_screensaver_engine.toml	41
behavior/rules/macos/persistence_unsigned_or_untrusted_binary_execution_via_cron.toml	54
behavior/rules/macos/persistence_unsigned_or_untrusted_binary_execution_via_zshrc.toml	53
behavior/rules/macos/persistence_unsigned_or_untrusted_process_execution_via_installer.toml	43
behavior/rules/macos/persistence_untrusted_or_unsigned_binary_executed_via_launch_service.toml	46
behavior/rules/macos/persistence_unusual_launch_service_creation_via_unsigned_or_untrusted_binary.toml	50
behavior/rules/macos/privilege_escalation_elevated_apple_script_execution_via_unsigned_parent.toml	50
behavior/rules/macos/privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml	58
behavior/rules/macos/privilege_escalation_potential_code_injection_via_remote_thread.toml	41
behavior/rules/macos/privilege_escalation_potential_privilege_escalation_via_root_crontab_file_modification.toml	40
behavior/rules/macos/privilege_escalation_potential_privilege_escalation_via_tcc_bypass_with_fake_tcc.db.toml	57
behavior/rules/macos/privilege_escalation_potential_sip_bypass_via_the_shoveservice.toml	37
behavior/rules/macos/privilege_escalation_suspicious_privilegedhelpertool_activity.toml	58
behavior/rules/windows/collection_getasynckeystate_api_call_from_suspicious_process.toml	73
behavior/rules/windows/collection_getasynckeystate_api_call_from_unusual_process.toml	74
behavior/rules/windows/collection_keystroke_input_capture_via_directinput.toml	57
behavior/rules/windows/collection_keystroke_input_capture_via_registerrawinputdevices.toml	52
behavior/rules/windows/collection_keystroke_messages_hooking_via_setwindowshookex.toml	94
behavior/rules/windows/collection_keystrokes_input_capture_from_a_managed_application.toml	59
behavior/rules/windows/collection_keystrokes_input_capture_from_a_suspicious_module.toml	52
behavior/rules/windows/collection_keystrokes_input_capture_from_suspicious_callstack.toml	81
behavior/rules/windows/collection_keystrokes_input_capture_from_unsigned_dll.toml	71
behavior/rules/windows/collection_keystrokes_input_capture_via_setwindowshookex.toml	52
behavior/rules/windows/command_and_control_connection_to_dynamic_dns_provider_by_a_signed_binary_proxy.toml	100
behavior/rules/windows/command_and_control_connection_to_dynamic_dns_provider_by_an_unsigned_binary.toml	98
behavior/rules/windows/command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml	231
behavior/rules/windows/command_and_control_connection_to_webservice_by_an_unsigned_binary.toml	193
behavior/rules/windows/command_and_control_dns_query_to_suspicious_top_level_domain.toml	126
behavior/rules/windows/command_and_control_download_activity_via_a_headless_browser.toml	43
behavior/rules/windows/command_and_control_execution_from_suspicious_stack_trailing_bytes.toml	122
behavior/rules/windows/command_and_control_execution_of_a_file_written_by_a_signed_binary_proxy.toml	57
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_curl.toml	53
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_inet_cache.toml	46
behavior/rules/windows/command_and_control_ingress_tool_transfer_via_powershell.toml	76
behavior/rules/windows/command_and_control_ingress_transfer_via_windows_utility.toml	37
behavior/rules/windows/command_and_control_library_load_of_a_file_written_by_a_signed_binary_proxy.toml	68
behavior/rules/windows/command_and_control_netsupport_execution_form_unusual_path.toml	39
behavior/rules/windows/command_and_control_netwire_rat_registry_modification.toml	51
behavior/rules/windows/command_and_control_network_connect_api_from_unbacked_memory.toml	115
behavior/rules/windows/command_and_control_potential_execution_via_sliver_framework.toml	73
behavior/rules/windows/command_and_control_potential_known_tcp_port_traffic_tunneling.toml	78
behavior/rules/windows/command_and_control_potential_plugx_registry_modification.toml	69
behavior/rules/windows/command_and_control_potential_protocol_tunneling_via_legit_utilities.toml	45
behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml	52
behavior/rules/windows/command_and_control_potential_traffic_tunneling_with_qemu.toml	36
behavior/rules/windows/command_and_control_remcos_rat_exepath_registry_modification.toml	51
behavior/rules/windows/command_and_control_remcos_rat_inetcookies_file_deletion.toml	48
behavior/rules/windows/command_and_control_remcos_rat_registry_or_file_modification.toml	56
behavior/rules/windows/command_and_control_service_communication_via_mail_protocol.toml	56
behavior/rules/windows/command_and_control_suspicious_command_and_control_via_internet_explorer.toml	112
behavior/rules/windows/command_and_control_suspicious_communication_via_mail_protocol.toml	102
behavior/rules/windows/command_and_control_suspicious_dns_lookup_by_remote_utilities_rmm.toml	39
behavior/rules/windows/command_and_control_suspicious_dns_query_by_msiexec.toml	56
behavior/rules/windows/command_and_control_suspicious_dns_query_from_mounted_virtual_disk.toml	225
behavior/rules/windows/command_and_control_suspicious_executable_file_creation.toml	92
behavior/rules/windows/command_and_control_suspicious_netsupport_execution.toml	40
behavior/rules/windows/credential_access_access_attempt_to_non_existing_cryptocurrency_wallet.toml	76
behavior/rules/windows/credential_access_access_to_browser_credentials_from_suspicious_memory.toml	134
behavior/rules/windows/credential_access_access_to_windows_passwords_vault_via_powershell.toml	64
behavior/rules/windows/credential_access_autologons_access_attempt_via_registry.toml	60
behavior/rules/windows/credential_access_browser_debugging_from_unusual_parent.toml	84
behavior/rules/windows/credential_access_chrome_browser_spawned_from_an_unusual_parent.toml	62
behavior/rules/windows/credential_access_credential_access_via_known_utilities.toml	94
behavior/rules/windows/credential_access_failed_access_attempt_to_web_browser_files.toml	157
behavior/rules/windows/credential_access_failed_attempts_to_access_sensitive_files.toml	92
behavior/rules/windows/credential_access_lsa_dump_via_silentprocessexit.toml	41
behavior/rules/windows/credential_access_lsa_dump_via_windows_error_reporting.toml	42
behavior/rules/windows/credential_access_lsass_access_attempt_from_an_unsigned_executable.toml	45
behavior/rules/windows/credential_access_lsass_access_attempt_from_unbacked_memory.toml	65
behavior/rules/windows/credential_access_lsass_access_attempt_via_ppl_bypass.toml	72
behavior/rules/windows/credential_access_lsass_memory_dump_via_minidumpwritedump.toml	42
behavior/rules/windows/credential_access_potential_browser_credentials_stealer.toml	58
behavior/rules/windows/credential_access_potential_browser_debugging_via_localhost.toml	69
behavior/rules/windows/credential_access_potential_credential_access_via_mimikatz.toml	63
behavior/rules/windows/credential_access_potential_credential_access_via_rubeus.toml	58
behavior/rules/windows/credential_access_potential_credential_access_via_windows_credential_history.toml	59
behavior/rules/windows/credential_access_potential_discovery_of_dpapi_master_keys.toml	89
behavior/rules/windows/credential_access_potential_discovery_of_windows_credential_manager_store.toml	85
behavior/rules/windows/credential_access_potential_google_credentials_phishing.toml	58
behavior/rules/windows/credential_access_powershell_script_with_passwords_vault_access_capability.toml	56
behavior/rules/windows/credential_access_remote_access_to_sensitive_registry_keys.toml	56
behavior/rules/windows/credential_access_security_account_manager_(sam)_file_access.toml	79
behavior/rules/windows/credential_access_security_account_manager_(sam)_registry_access.toml	79
behavior/rules/windows/credential_access_sensitive_file_access_cloud_credentials.toml	72
behavior/rules/windows/credential_access_sensitive_file_access_remote_desktop_connection_manager.toml	58
behavior/rules/windows/credential_access_sensitive_file_access_ssh_saved_keys.toml	101
behavior/rules/windows/credential_access_sensitive_file_access_system_admin_utilities.toml	89
behavior/rules/windows/credential_access_sensitive_file_access_unattended_panther.toml	78
behavior/rules/windows/credential_access_sensitive_hive_access_via_registry_backup.toml	72
behavior/rules/windows/credential_access_suspicious_access_to_active_directory_database_file.toml	51
behavior/rules/windows/credential_access_suspicious_access_to_cryptocurrency_wallet_files.toml	111
behavior/rules/windows/credential_access_suspicious_access_to_lsa_secrets_registry.toml	78
behavior/rules/windows/credential_access_suspicious_access_to_web_browser_credential_stores.toml	63
behavior/rules/windows/credential_access_suspicious_access_to_windows_vault_files.toml	58
behavior/rules/windows/credential_access_suspicious_credential_files_creation_via_kerberos.toml	68
behavior/rules/windows/credential_access_suspicious_registry_hive_dump.toml	57
behavior/rules/windows/credential_access_suspicious_vault_client_image_load.toml	102
behavior/rules/windows/credential_access_suspicious_vault_files_access_via_rpc.toml	68
behavior/rules/windows/credential_access_system_bootkey_registry_access.toml	59
behavior/rules/windows/credential_access_unusual_kerberos_client_process.toml	47
behavior/rules/windows/credential_access_unusual_ldap_client_process.toml	77
behavior/rules/windows/credential_access_web_browser_credential_access_via_unsigned_process.toml	76
behavior/rules/windows/defense_evasion_allowprotectedrenames_registry_modification.toml	48
behavior/rules/windows/defense_evasion_amsi_bypass_via_com_registry_modification.toml	40
behavior/rules/windows/defense_evasion_amsi_bypass_via_powershell.toml	74
behavior/rules/windows/defense_evasion_amsi_bypass_via_unbacked_memory.toml	47
behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml	77
behavior/rules/windows/defense_evasion_api_call_from_a_process_with_a_spoofed_parent.toml	64
behavior/rules/windows/defense_evasion_api_call_via_jump_rop_gadget.toml	64
behavior/rules/windows/defense_evasion_api_call_via_timer_callback_event.toml	36
behavior/rules/windows/defense_evasion_asynchronous_procedure_call_from_unusual_module.toml	62
behavior/rules/windows/defense_evasion_attempt_to_disable_driver_via_hvcidisallowedimages.toml	39
behavior/rules/windows/defense_evasion_attempt_to_disable_windows_defender_services.toml	47
behavior/rules/windows/defense_evasion_attempt_to_disable_windows_driver_blocklist_via_registry.toml	41
behavior/rules/windows/defense_evasion_attempt_to_hide_files_via_registry_modification.toml	67
behavior/rules/windows/defense_evasion_binary_masquerading_via_untrusted_path.toml	214
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_appvlp.toml	35
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_pester.toml	38
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_rundll32.toml	92
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_runexehelper.toml	44
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_ttdinject.toml	38
behavior/rules/windows/defense_evasion_binary_proxy_execution_via_windows_openssh.toml	44
behavior/rules/windows/defense_evasion_com_to_.net_redirection_via_registry.toml	50
behavior/rules/windows/defense_evasion_common_language_runtime_loaded_via_an_unsigned_module.toml	52
behavior/rules/windows/defense_evasion_control_panel_process_with_unusual_arguments.toml	63
behavior/rules/windows/defense_evasion_crashdump_disabled_via_registry_modification.toml	42
behavior/rules/windows/defense_evasion_defense_evasion_via_registry_modification.toml	58
behavior/rules/windows/defense_evasion_delayed_common_language_runtime_load.toml	62
behavior/rules/windows/defense_evasion_direct_syscall_from_unsigned_module.toml	80
behavior/rules/windows/defense_evasion_direct_syscall_via_assembly_bytes.toml	100
behavior/rules/windows/defense_evasion_disabling_hypervisor_protected_code_integrity_via_registry.toml	52
behavior/rules/windows/defense_evasion_dll_control_panel_items_registry_modification.toml	47
behavior/rules/windows/defense_evasion_dll_dropped_by_msiexec_followed_by_sideload.toml	114
behavior/rules/windows/defense_evasion_dll_execution_via_visual_studio_live_share.toml	37
behavior/rules/windows/defense_evasion_dll_injection_via_mavinject_utility.toml	45
behavior/rules/windows/defense_evasion_dll_side_loading_of_a_file_dropped_by_microsoft_office.toml	83
behavior/rules/windows/defense_evasion_dll_side_loading_via_a_copied_microsoft_executable.toml	78
behavior/rules/windows/defense_evasion_evasion_via_device_credential_deployment.toml	41
behavior/rules/windows/defense_evasion_evasion_via_event_tracing_for_windows_patching.toml	52
behavior/rules/windows/defense_evasion_evasion_via_file_name_masquerading.toml	91
behavior/rules/windows/defense_evasion_evasion_via_ldrpkernel32_overwrite.toml	48
behavior/rules/windows/defense_evasion_evasion_via_multiple_memory_section_mapping.toml	39
behavior/rules/windows/defense_evasion_evasion_via_sleep_api_hooking.toml	38
behavior/rules/windows/defense_evasion_execution_from_suspicious_directory.toml	123
behavior/rules/windows/defense_evasion_execution_of_a_binary_dropped_via_microsoft_bsdtar_archive_tool.toml	53
behavior/rules/windows/defense_evasion_execution_of_a_dnguard_protected_program.toml	43
behavior/rules/windows/defense_evasion_execution_of_a_file_dropped_from_kernel_mode.toml	40
behavior/rules/windows/defense_evasion_execution_via_internet_explorer_exporter.toml	41
behavior/rules/windows/defense_evasion_execution_via_msiexec_downloadandexecute_customaction.toml	49
behavior/rules/windows/defense_evasion_execution_via_program_compatibility_assistant.toml	43
behavior/rules/windows/defense_evasion_execution_via_renamed_signed_binary_proxy.toml	95
behavior/rules/windows/defense_evasion_execution_via_windows_command_line_debugging_utility.toml	39
behavior/rules/windows/defense_evasion_execution_via_windows_installer_transforms.toml	55
behavior/rules/windows/defense_evasion_firewall_policy_changed_by_a_suspicious_process.toml	55
behavior/rules/windows/defense_evasion_image_hollow_from_unusual_stack.toml	78
behavior/rules/windows/defense_evasion_image_load_via_synthetic_stack_spoofing.toml	53
behavior/rules/windows/defense_evasion_image_load_via_transactional_ntfs.toml	41
behavior/rules/windows/defense_evasion_indirect_command_execution_via_console_window_host.toml	44
behavior/rules/windows/defense_evasion_indirect_command_execution_via_forfiles.toml	44
behavior/rules/windows/defense_evasion_ingress_dll_transfer_followed_by_dll_sideloading.toml	64
behavior/rules/windows/defense_evasion_internet_activity_from_suspicious_unbacked_memory.toml	93
behavior/rules/windows/defense_evasion_library_loaded_from_a_spoofed_call_stack.toml	47
behavior/rules/windows/defense_evasion_library_loaded_via_a_callback_function.toml	53
behavior/rules/windows/defense_evasion_library_loaded_via_thread_fiber_callback.toml	45
behavior/rules/windows/defense_evasion_managed_.net_code_execution_via_powershell.toml	72
behavior/rules/windows/defense_evasion_managed_.net_code_execution_via_windows_script_interpreter.toml	76
behavior/rules/windows/defense_evasion_memory_allocation_from_a_high_entropy_module.toml	74
behavior/rules/windows/defense_evasion_memory_protection_modification_of_an_unsigned_dll_v1.toml	61
behavior/rules/windows/defense_evasion_microsoft_common_language_runtime_loaded_from_suspicious_memory.toml	58
behavior/rules/windows/defense_evasion_module_stomping_from_a_copied_library.toml	53
behavior/rules/windows/defense_evasion_msbuild_with_unusual_arguments.toml	57
behavior/rules/windows/defense_evasion_msiexec_execution_via_a_windows_script_interpreter.toml	76
behavior/rules/windows/defense_evasion_network_activity_from_a_reflected_process.toml	38
behavior/rules/windows/defense_evasion_network_activity_from_a_stomped_module.toml	95
behavior/rules/windows/defense_evasion_network_connection_via_process_with_unusual_arguments.toml	78
behavior/rules/windows/defense_evasion_network_library_load_via_ldrloaddll.toml	66
behavior/rules/windows/defense_evasion_network_module_loaded_from_suspicious_unbacked_memory.toml	249
behavior/rules/windows/defense_evasion_ntdll_loaded_from_an_unusual_path.toml	55
behavior/rules/windows/defense_evasion_ntdll_memory_protection_change_via_unsigned_dll.toml	80
behavior/rules/windows/defense_evasion_oversized_dll_creation_followed_by_sideload.toml	72
behavior/rules/windows/defense_evasion_parallel_ntdll_loaded_from_unbacked_memory.toml	51
behavior/rules/windows/defense_evasion_parent_process_pid_spoofing.toml	148
behavior/rules/windows/defense_evasion_payload_decoded_via_certutil.toml	47
behavior/rules/windows/defense_evasion_potential_autoconfigurl_settings_hijack.toml	42
behavior/rules/windows/defense_evasion_potential_beacon_masking_from_a_stomped_module.toml	34
behavior/rules/windows/defense_evasion_potential_cve_2024_21338_exploitation.toml	60
behavior/rules/windows/defense_evasion_potential_defense_evasion_via_filter_manager_control_program.toml	35
behavior/rules/windows/defense_evasion_potential_dll_hijack_via_directory_spoofing.toml	58
behavior/rules/windows/defense_evasion_potential_dll_hijacking_via_environment_paths.toml	98
behavior/rules/windows/defense_evasion_potential_dll_hollowing_from_a_writable_image.toml	44
behavior/rules/windows/defense_evasion_potential_dll_hollowing_with_transactional_ntfs.toml	37
behavior/rules/windows/defense_evasion_potential_dll_search_order_hijacking_of_an_existing_program.toml	68
behavior/rules/windows/defense_evasion_potential_dll_sideload_via_a_microsoft_signed_binary.toml	60
behavior/rules/windows/defense_evasion_potential_dll_sideload_via_a_renamed_signed_binary.toml	53
behavior/rules/windows/defense_evasion_potential_elastic_tampering_via_pendingfilerename.toml	47
behavior/rules/windows/defense_evasion_potential_endpoint_security_evasion_via_firewallrules.toml	47
behavior/rules/windows/defense_evasion_potential_evasion_via_asp.net_compiler.toml	39
behavior/rules/windows/defense_evasion_potential_evasion_via_dotnet_framework_installation_utility.toml	72
behavior/rules/windows/defense_evasion_potential_evasion_via_inline_execute_assembly.toml	52
behavior/rules/windows/defense_evasion_potential_evasion_via_intel_gfxdownloadwrapper.toml	58
behavior/rules/windows/defense_evasion_potential_evasion_via_invalid_code_signature.toml	79
behavior/rules/windows/defense_evasion_potential_evasion_via_oversized_image_load.toml	61
behavior/rules/windows/defense_evasion_potential_evasion_via_stack_rumbling.toml	61
behavior/rules/windows/defense_evasion_potential_evasion_with_hardware_breakpoints.toml	92
behavior/rules/windows/defense_evasion_potential_executable_stored_in_the_registry.toml	36
behavior/rules/windows/defense_evasion_potential_exploit_via_fake_rpc_messages.toml	43
behavior/rules/windows/defense_evasion_potential_image_load_via_transactional_ntfs.toml	49
behavior/rules/windows/defense_evasion_potential_image_load_with_a_spoofed_creation_time.toml	97
behavior/rules/windows/defense_evasion_potential_initial_access_via_dll_search_order_hijacking.toml	70
behavior/rules/windows/defense_evasion_potential_injection_from_a_lua_script.toml	45
behavior/rules/windows/defense_evasion_potential_injection_via_asynchronous_procedure_call.toml	46
behavior/rules/windows/defense_evasion_potential_injection_via_dotnet_debugging.toml	57
behavior/rules/windows/defense_evasion_potential_injection_via_module_stomping.toml	76
behavior/rules/windows/defense_evasion_potential_injection_via_nsis_installer.toml	43
behavior/rules/windows/defense_evasion_potential_injection_via_pyinstaller_executable.toml	44
behavior/rules/windows/defense_evasion_potential_injection_via_the_console_window_class.toml	43
behavior/rules/windows/defense_evasion_potential_library_load_via_rop_gadgets.toml	57
behavior/rules/windows/defense_evasion_potential_logonuser_api_hooking.toml	42
behavior/rules/windows/defense_evasion_potential_masquerading_as_svchost.toml	95
behavior/rules/windows/defense_evasion_potential_masquerading_as_windows_error_manager.toml	85
behavior/rules/windows/defense_evasion_potential_netntlmv1_downgrade_attack.toml	34
behavior/rules/windows/defense_evasion_potential_ntdll_memory_unhooking.toml	85
behavior/rules/windows/defense_evasion_potential_operation_via_direct_syscall.toml	90
behavior/rules/windows/defense_evasion_potential_parent_process_pid_spoofing_via_malseclogon.toml	66
behavior/rules/windows/defense_evasion_potential_process_creation_via_direct_syscall.toml	40
behavior/rules/windows/defense_evasion_potential_process_creation_via_shellcode.toml	46
behavior/rules/windows/defense_evasion_potential_protected_process_dll_injection_via_rpc.toml	43
behavior/rules/windows/defense_evasion_potential_remote_code_injection.toml	109
behavior/rules/windows/defense_evasion_potential_self_deletion_of_a_running_executable.toml	48
behavior/rules/windows/defense_evasion_potential_shellcode_fluctuation_v1.toml	121
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_a_webshell.toml	51
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_clr.toml	125
behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_node.js.toml	41
behavior/rules/windows/defense_evasion_potential_suspended_process_code_injection.toml	116
behavior/rules/windows/defense_evasion_potential_unbacked_memory_content_masking.toml	37
behavior/rules/windows/defense_evasion_privilege_escalation_via_microsoft_exchange_dll_hijacking.toml	43
behavior/rules/windows/defense_evasion_process_anti_debug_via_memory_patching.toml	58
behavior/rules/windows/defense_evasion_process_creation_from_a_stomped_module.toml	65
behavior/rules/windows/defense_evasion_process_creation_from_backed_rwx_memory.toml	81
behavior/rules/windows/defense_evasion_process_creation_from_unbacked_memory_via_unsigned_parent.toml	60
behavior/rules/windows/defense_evasion_process_creation_via_rop_gadgets.toml	59
behavior/rules/windows/defense_evasion_process_creation_with_unusual_mitigation.toml	88
behavior/rules/windows/defense_evasion_process_executable_image_tampering_attempt.toml	47
behavior/rules/windows/defense_evasion_process_execution_with_unusual_file_extension.toml	44
behavior/rules/windows/defense_evasion_process_explorer_device_access_by_unusual_process.toml	54
behavior/rules/windows/defense_evasion_process_from_archive_or_removable_media_via_unbacked_code.toml	64
behavior/rules/windows/defense_evasion_process_memory_write_to_a_non_child_process.toml	184
behavior/rules/windows/defense_evasion_process_stared_via_remote_thread.toml	42
behavior/rules/windows/defense_evasion_process_suspended_via_ttd_monitor_driver.toml	52
behavior/rules/windows/defense_evasion_protected_process_light_bypass_via_dll_tampering.toml	101
behavior/rules/windows/defense_evasion_registry_modification_via_wmi_stdregprov.toml	58
behavior/rules/windows/defense_evasion_regsvr32_scriptlet_execution.toml	60
behavior/rules/windows/defense_evasion_regsvr32_with_unusual_arguments.toml	92
behavior/rules/windows/defense_evasion_remote_file_execution_via_msiexec.toml	105
behavior/rules/windows/defense_evasion_remote_memory_write_to_a_non_child_process.toml	71
behavior/rules/windows/defense_evasion_remote_memory_write_to_trusted_target_process.toml	195
behavior/rules/windows/defense_evasion_remote_msi_package_installation_via_msiexec.toml	51
behavior/rules/windows/defense_evasion_remote_process_injection_via_mapping.toml	45
behavior/rules/windows/defense_evasion_remote_process_injection_via_python.toml	40
behavior/rules/windows/defense_evasion_remote_process_memory_write_by_low_reputation_module.toml	177
behavior/rules/windows/defense_evasion_remote_thread_context_manipulation.toml	100
behavior/rules/windows/defense_evasion_renamed_autoit_scripts_interpreter.toml	40
behavior/rules/windows/defense_evasion_renamed_third_party_administrator_tools.toml	46
behavior/rules/windows/defense_evasion_renamed_windows_automaton_script_interpreter.toml	83
behavior/rules/windows/defense_evasion_rundll32_or_regsvr32_executing_an_oversized_file.toml	49
behavior/rules/windows/defense_evasion_rundll32_or_regsvr32_loaded_a_dll_from_unbacked_memory.toml	100
behavior/rules/windows/defense_evasion_rundll32_regsvr32_loads_a_dll_downloaded_via_bits.toml	56
behavior/rules/windows/defense_evasion_rundll32_with_unusual_arguments.toml	156
behavior/rules/windows/defense_evasion_script_execution_via_microsoft_html_application.toml	85
behavior/rules/windows/defense_evasion_script_execution_via_msxsl.toml	55
behavior/rules/windows/defense_evasion_scriptlet_execution_via_cmstp.toml	59
behavior/rules/windows/defense_evasion_scriptlet_execution_via_rundll32.toml	60
behavior/rules/windows/defense_evasion_scriptlet_proxy_execution_via_pubprn.toml	60
behavior/rules/windows/defense_evasion_self_injection_via_appdomain_manager_assembly.toml	79
behavior/rules/windows/defense_evasion_shadow_copy_service_disabled_via_registry_modification.toml	46
behavior/rules/windows/defense_evasion_shellcode_api_behavior_from_a_signed_module.toml	248
behavior/rules/windows/defense_evasion_shellcode_behavior_from_suspicious_rwx_provenance.toml	74
behavior/rules/windows/defense_evasion_shellcode_execution_from_low_reputation_module.toml	123
behavior/rules/windows/defense_evasion_shellcode_execution_via_a_callback_function.toml	71
behavior/rules/windows/defense_evasion_shellcode_execution_via_python_script.toml	40
behavior/rules/windows/defense_evasion_shellcode_fluctuation_via_callback.toml	40
behavior/rules/windows/defense_evasion_shellcode_from_unusual_microsoft_signed_module.toml	61
behavior/rules/windows/defense_evasion_shellcode_injection_from_mounted_device.toml	49
behavior/rules/windows/defense_evasion_shellcode_injection_via_powershell.toml	78
behavior/rules/windows/defense_evasion_shellcode_injection_with_parent_as_provenance.toml	79
behavior/rules/windows/defense_evasion_suspicious_activity_from_a_control_panel_applet.toml	59
behavior/rules/windows/defense_evasion_suspicious_api_call_via_a_windows_installer_module.toml	55
behavior/rules/windows/defense_evasion_suspicious_api_call_via_windows_script_interpreter.toml	78
behavior/rules/windows/defense_evasion_suspicious_appdomain_manager_configuration_file.toml	76
behavior/rules/windows/defense_evasion_suspicious_bitsadmin_activity.toml	108
behavior/rules/windows/defense_evasion_suspicious_call_stack_trailing_bytes.toml	45
behavior/rules/windows/defense_evasion_suspicious_control_panel_dll_loaded_by_explorer.toml	63
behavior/rules/windows/defense_evasion_suspicious_dllregisterserver_execution_via_msiexec.toml	44
behavior/rules/windows/defense_evasion_suspicious_executable_memory_mapping.toml	87
behavior/rules/windows/defense_evasion_suspicious_executable_memory_permission_modification.toml	55
behavior/rules/windows/defense_evasion_suspicious_execution_from_a_mounted_device.toml	76
behavior/rules/windows/defense_evasion_suspicious_execution_from_an_oversized_executable.toml	79
behavior/rules/windows/defense_evasion_suspicious_execution_via_dcom.toml	171
behavior/rules/windows/defense_evasion_suspicious_execution_via_dotnet_remoting.toml	49
behavior/rules/windows/defense_evasion_suspicious_execution_via_ihxhelppaneserver.toml	77
behavior/rules/windows/defense_evasion_suspicious_image_load_by_system_protected_process.toml	50
behavior/rules/windows/defense_evasion_suspicious_image_load_from_smb_shares.toml	75
behavior/rules/windows/defense_evasion_suspicious_image_load_via_ldrloaddll.toml	61
behavior/rules/windows/defense_evasion_suspicious_imageload_from_an_iso_mounted_device.toml	49
behavior/rules/windows/defense_evasion_suspicious_imageload_via_odbc_driver_configuration_program.toml	44
behavior/rules/windows/defense_evasion_suspicious_imageload_via_windows_certoc.toml	36
behavior/rules/windows/defense_evasion_suspicious_imageload_via_windows_update_auto_update_client.toml	56
behavior/rules/windows/defense_evasion_suspicious_kernel32_memory_protection.toml	50
behavior/rules/windows/defense_evasion_suspicious_memory_page_protection.toml	112
behavior/rules/windows/defense_evasion_suspicious_memory_protection_fluctuation.toml	87
behavior/rules/windows/defense_evasion_suspicious_memory_size_protection_via_virtualprotect.toml	64
behavior/rules/windows/defense_evasion_suspicious_msiexec_child_process.toml	95
behavior/rules/windows/defense_evasion_suspicious_ntdll_image_load.toml	57
behavior/rules/windows/defense_evasion_suspicious_ntdll_memory_write.toml	42
behavior/rules/windows/defense_evasion_suspicious_null_terminated_call_stack.toml	91
behavior/rules/windows/defense_evasion_suspicious_okta_agent_cross_process_activity.toml	50
behavior/rules/windows/defense_evasion_suspicious_parent_child_relationship.toml	116
behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml	50
behavior/rules/windows/defense_evasion_suspicious_process_creation_via_reflection.toml	45
behavior/rules/windows/defense_evasion_suspicious_process_with_a_spoofed_parent.toml	102
behavior/rules/windows/defense_evasion_suspicious_remote_memory_allocation.toml	103
behavior/rules/windows/defense_evasion_suspicious_remote_process_suspend_activity.toml	142
behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml	75
behavior/rules/windows/defense_evasion_suspicious_shell_extension_handler_registry_modification.toml	67
behavior/rules/windows/defense_evasion_suspicious_suspended_process_creation.toml	61
behavior/rules/windows/defense_evasion_suspicious_unsigned_dll_loaded_by_a_trusted_process.toml	64
behavior/rules/windows/defense_evasion_suspicious_windows_api_call_from_virtual_disk_or_usb.toml	59
behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml	90
behavior/rules/windows/defense_evasion_suspicious_windows_defender_exclusions_added_via_powershell.toml	82
behavior/rules/windows/defense_evasion_suspicious_windows_defender_registry_modification.toml	72
behavior/rules/windows/defense_evasion_suspicious_windows_explorer_execution.toml	83
behavior/rules/windows/defense_evasion_suspicious_windows_lua_script_execution.toml	44
behavior/rules/windows/defense_evasion_suspicious_windows_nt_api_hooking.toml	51
behavior/rules/windows/defense_evasion_suspicious_wmic_xsl_script_execution.toml	62
behavior/rules/windows/defense_evasion_system_binary_proxy_execution_via_scriptrunner.toml	37
behavior/rules/windows/defense_evasion_thread_suspension_from_unbacked_memory.toml	51
behavior/rules/windows/defense_evasion_transacted_file_activity_via_an_unsigned_dll.toml	42
behavior/rules/windows/defense_evasion_unbacked_shellcode_from_unsigned_module.toml	138
behavior/rules/windows/defense_evasion_unsigned_dll_from_suspicious_directory.toml	140
behavior/rules/windows/defense_evasion_unsigned_dll_loaded_by_an_elastic_signed_binary.toml	45
behavior/rules/windows/defense_evasion_unsigned_dll_loaded_by_rundll32_via_com.toml	58
behavior/rules/windows/defense_evasion_untrusted_dll_loaded_by_a_persistent_program.toml	175
behavior/rules/windows/defense_evasion_unusual_dll_extension_loaded_by_rundll32_or_regsvr32.toml	78
behavior/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml	47
behavior/rules/windows/defense_evasion_unusual_process_running_as_antimalware_protected.toml	127
behavior/rules/windows/defense_evasion_unusual_registry_modification_via_wmi.toml	73
behavior/rules/windows/defense_evasion_unusual_windows_system_service_disabled.toml	53
behavior/rules/windows/defense_evasion_user_account_control_disabled_via_registry.toml	64
behavior/rules/windows/defense_evasion_virtualalloc_api_call_from_an_unsigned_dll.toml	110
behavior/rules/windows/defense_evasion_virtualprotect_call_via_nttestalert.toml	42
behavior/rules/windows/defense_evasion_virtualprotect_via_vectored_exception_handling.toml	49
behavior/rules/windows/defense_evasion_waasmedicsvc_com_type_lib_hijack.toml	58
behavior/rules/windows/defense_evasion_windows_api_call_via_indirect_random_syscall.toml	108
behavior/rules/windows/defense_evasion_windows_api_via_a_callback_function.toml	54
behavior/rules/windows/defense_evasion_windows_console_execution_from_unbacked_memory.toml	128
behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_extension.toml	49
behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_path.toml	50
behavior/rules/windows/defense_evasion_windows_defender_exclusions_via_wmi.toml	57
behavior/rules/windows/defense_evasion_windows_error_manager_reporting_masquerading.toml	44
behavior/rules/windows/defense_evasion_windows_firewall_exception_list_modified_via_untrusted_process.toml	52
behavior/rules/windows/defense_evasion_windows_installer_execution_via_explorer.toml	41
behavior/rules/windows/defense_evasion_windows_system_module_remote_hooking.toml	57
behavior/rules/windows/defense_evasion_windows_trojan_zloader.toml	46
behavior/rules/windows/defense_evasion_writeprocessmemory_to_suspicious_memory_location.toml	68
behavior/rules/windows/discovery_external_ip_address_discovery_via_a_trusted_program.toml	90
behavior/rules/windows/discovery_external_ip_address_discovery_via_untrusted_program.toml	111
behavior/rules/windows/discovery_potential_browser_information_discovery.toml	77
behavior/rules/windows/discovery_potential_hawkeyes_stealer_infection.toml	50
behavior/rules/windows/discovery_potential_virtual_machine_fingerprinting_via_vmdetect.toml	40
behavior/rules/windows/discovery_suspicious_remote_security_product_enumeration.toml	35
behavior/rules/windows/discovery_suspicious_security_product_enumeration.toml	136
behavior/rules/windows/discovery_suspicious_windows_ldap_image_load.toml	67
behavior/rules/windows/execution_.net_com_object_created_in_non_standard_windows_script_interpreter.toml	82
behavior/rules/windows/execution_attempt_to_mount_a_remote_webdav_share.toml	62
behavior/rules/windows/execution_command_and_scripting_interpreter_from_suspicious_parent.toml	69
behavior/rules/windows/execution_command_shell_activity_started_via_rundll32.toml	75
behavior/rules/windows/execution_command_shell_execution_from_untrusted_origin.toml	88
behavior/rules/windows/execution_dll_loaded_from_webdav_share.toml	41
behavior/rules/windows/execution_dynwrapx_image_load_via_windows_scripts.toml	50
behavior/rules/windows/execution_embedded_executable_via_windows_shortcut_file.toml	79
behavior/rules/windows/execution_encoded_powershell_execution_via_msiexec.toml	59
behavior/rules/windows/execution_execution_from_a_password_protected_self_extracting_archive.toml	41
behavior/rules/windows/execution_execution_from_unusual_directory.toml	189
behavior/rules/windows/execution_execution_from_zip_file_via_explorer.toml	81
behavior/rules/windows/execution_execution_of_a_downloaded_executable_with_low_or_unknown_reputation.toml	47
behavior/rules/windows/execution_execution_of_a_downloaded_windows_script_via_explorer.toml	90
behavior/rules/windows/execution_execution_of_a_file_downloaded_via_windows_openssh.toml	77
behavior/rules/windows/execution_execution_of_a_file_written_by_windows_script_host.toml	65
behavior/rules/windows/execution_execution_of_a_windows_script_downloaded_from_the_internet.toml	74
behavior/rules/windows/execution_execution_of_a_windows_script_downloaded_via_a_lolbin.toml	80
behavior/rules/windows/execution_execution_of_a_windows_script_file_written_by_a_suspicious_process.toml	107
behavior/rules/windows/execution_execution_of_a_windows_script_with_unusual_file_extension.toml	61
behavior/rules/windows/execution_execution_via_obfuscated_windows_script.toml	96
behavior/rules/windows/execution_execution_via_outlook_application_com_object.toml	102
behavior/rules/windows/execution_execution_via_suspicious_javascript_updates.toml	84
behavior/rules/windows/execution_execution_via_syncappvpublishingserver.toml	62
behavior/rules/windows/execution_execution_via_wmi_activescript_event_consumer.toml	76
behavior/rules/windows/execution_execution_via_wmi_commandline_event_consumer.toml	45
behavior/rules/windows/execution_execution_via_wmi_followed_by_network_connection.toml	52
behavior/rules/windows/execution_java_application_execution_from_suspicious_paths.toml	52
behavior/rules/windows/execution_java_application_with_unusual_file_extension.toml	58
behavior/rules/windows/execution_malicious_reputation_of_executable_download.toml	46
behavior/rules/windows/execution_oversized_windows_script_execution.toml	66
behavior/rules/windows/execution_potential_command_and_control_via_windows_scripts.toml	62
behavior/rules/windows/execution_potential_execution_via_zipexec.toml	55
behavior/rules/windows/execution_potential_obfuscated_script_execution.toml	91
behavior/rules/windows/execution_potential_pentesting_powershell_script.toml	95
behavior/rules/windows/execution_potential_powershell_empire_execution.toml	43
behavior/rules/windows/execution_potential_reverse_shell_via_java.toml	59
behavior/rules/windows/execution_potential_reverse_shell_via_powershell.toml	54
behavior/rules/windows/execution_powershell_empire_script_execution.toml	41
behavior/rules/windows/execution_powershell_engine_loaded_via_injection.toml	65
behavior/rules/windows/execution_powershell_execution_via_named_pipe.toml	58
behavior/rules/windows/execution_powershell_execution_via_runscripthelper.toml	35
behavior/rules/windows/execution_process_creation_from_an_unusual_wmi_client.toml	71
behavior/rules/windows/execution_process_termination_from_an_unusual_wmi_client.toml	62
behavior/rules/windows/execution_script_execution_from_webdav.toml	56
behavior/rules/windows/execution_script_execution_via_apds_xss_injection.toml	64
behavior/rules/windows/execution_shell_execution_via_windows_shortcut_file.toml	90
behavior/rules/windows/execution_suspicious_api_call_from_a_powershell_script.toml	66
behavior/rules/windows/execution_suspicious_cmd_execution_via_wmi.toml	53
behavior/rules/windows/execution_suspicious_command_shell_execution_via_windows_run.toml	71
behavior/rules/windows/execution_suspicious_execution_from_a_windows_script.toml	73
behavior/rules/windows/execution_suspicious_execution_from_mssql_service.toml	63
behavior/rules/windows/execution_suspicious_execution_via_microsoft_common_console.toml	101
behavior/rules/windows/execution_suspicious_execution_via_sql_powershell.toml	36
behavior/rules/windows/execution_suspicious_execution_via_windows_management_instrumentation.toml	123
behavior/rules/windows/execution_suspicious_image_load_via_windows_scripts.toml	54
behavior/rules/windows/execution_suspicious_java_execution_via_a_windows_script.toml	45
behavior/rules/windows/execution_suspicious_javascript_execution_via_node.js.toml	57
behavior/rules/windows/execution_suspicious_oversized_script_execution.toml	68
behavior/rules/windows/execution_suspicious_php_script_execution.toml	69
behavior/rules/windows/execution_suspicious_powershell_downloads.toml	119
behavior/rules/windows/execution_suspicious_powershell_execution.toml	179
behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml	128
behavior/rules/windows/execution_suspicious_powershell_script_with_.net_reflection.toml	75
behavior/rules/windows/execution_suspicious_python_script_interpreter.toml	113
behavior/rules/windows/execution_suspicious_script_execution_via_vbsedit_launcher.toml	48
behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml	144
behavior/rules/windows/execution_suspicious_windows_component_object_model_via_dllhost.toml	172
behavior/rules/windows/execution_suspicious_windows_script_base64_encoding.toml	55
behavior/rules/windows/execution_suspicious_windows_script_downloaded_from_the_internet.toml	94
behavior/rules/windows/execution_suspicious_windows_script_file_name.toml	125
behavior/rules/windows/execution_suspicious_windows_script_interpreter_child_process.toml	91
behavior/rules/windows/execution_suspicious_windows_script_process_execution.toml	85
behavior/rules/windows/execution_suspicious_windows_shortcut_file_creation_or_modification.toml	94
behavior/rules/windows/execution_suspicious_wmi_enumeration_via_windows_scripts.toml	74
behavior/rules/windows/execution_suspicious_wmi_library_load.toml	35
behavior/rules/windows/execution_unusual_powershell_engine_imageload.toml	139
behavior/rules/windows/execution_windows_installer_via_windows_script.toml	77
behavior/rules/windows/execution_windows_script_executed_from_a_suspicious_path.toml	78
behavior/rules/windows/execution_windows_script_execution_from_archive_file.toml	68
behavior/rules/windows/execution_windows_script_execution_via_mmc_console_file.toml	68
behavior/rules/windows/execution_windows_shortcut_file_embedded_object_execution.toml	104
behavior/rules/windows/impact_bcdedit_safe_mode_command_execution.toml	85
behavior/rules/windows/impact_inhibit_system_recovery_followed_by_a_suspicious_file_rename.toml	59
behavior/rules/windows/impact_inhibit_system_recovery_via_microsoft_office_process.toml	83
behavior/rules/windows/impact_inhibit_system_recovery_via_obfuscated_commands.toml	104
behavior/rules/windows/impact_inhibit_system_recovery_via_renamed_utilities.toml	57
behavior/rules/windows/impact_inhibit_system_recovery_via_signed_binary_proxy.toml	118
behavior/rules/windows/impact_inhibit_system_recovery_via_stopping_backup_services.toml	81
behavior/rules/windows/impact_inhibit_system_recovery_via_untrusted_parent_process.toml	48
behavior/rules/windows/impact_inhibit_system_recovery_via_windows_command_shell.toml	76
behavior/rules/windows/impact_potential_crypto_mining_activity.toml	84
behavior/rules/windows/impact_potential_data_wiping_attack_behavior.toml	57
behavior/rules/windows/impact_potential_ransomware_note_file.toml	88
behavior/rules/windows/impact_potential_ransomware_note_file_via_smb.toml	44
behavior/rules/windows/impact_shadow_copy_deletion_via_windows_management_instrumentation.toml	47
behavior/rules/windows/impact_suspicious_file_rename_by_an_unusual_process.toml	77
behavior/rules/windows/impact_suspicious_file_rename_from_unbacked_memory.toml	76
behavior/rules/windows/impact_suspicious_file_rename_via_smb.toml	46
behavior/rules/windows/impact_vss_service_disabled_followed_by_a_suspicious_file_rename.toml	54
behavior/rules/windows/initial_access_dll_loaded_from_a_macro_enabled_document.toml	79
behavior/rules/windows/initial_access_execution_from_a_downloaded_iso_file.toml	52
behavior/rules/windows/initial_access_execution_from_a_macro_enabled_office_document.toml	99
behavior/rules/windows/initial_access_execution_of_commonly_abused_utilities_via_explorer_trampoline.toml	110
behavior/rules/windows/initial_access_execution_of_file_written_or_modified_by_microsoft_equation_editor.toml	61
behavior/rules/windows/initial_access_execution_of_file_written_or_modified_by_microsoft_office.toml	53
behavior/rules/windows/initial_access_execution_via_a_suspicious_wmi_client.toml	110
behavior/rules/windows/initial_access_execution_via_microsoft_excel_xll_add_in.toml	61
behavior/rules/windows/initial_access_file_execution_via_microsoft_html_help.toml	54
behavior/rules/windows/initial_access_microsoft_equation_editor_child_process.toml	55
behavior/rules/windows/initial_access_microsoft_office_fetching_remote_content.toml	56
behavior/rules/windows/initial_access_microsoft_office_file_execution_via_script_interpreter.toml	46
behavior/rules/windows/initial_access_microsoft_office_file_execution_via_wmi.toml	57
behavior/rules/windows/initial_access_microsoft_office_loaded_a_dropped_executable_file.toml	69
behavior/rules/windows/initial_access_microsoft_office_process_setting_persistence_via_startup.toml	56
behavior/rules/windows/initial_access_potential_browser_exploit_via_fake_rpc_messages.toml	60
behavior/rules/windows/initial_access_potential_cve_2024_21412_exploitation.toml	56
behavior/rules/windows/initial_access_potential_decoy_document_via_user_execution.toml	87
behavior/rules/windows/initial_access_potential_execution_via_foxmail_exploitation.toml	51
behavior/rules/windows/initial_access_potential_execution_via_winrar_exploitation.toml	65
behavior/rules/windows/initial_access_potential_initial_access_via_rogue_rdp_server.toml	58
behavior/rules/windows/initial_access_potential_microsoft_outlook_remote_code_execution.toml	66
behavior/rules/windows/initial_access_potential_webshell_via_screenconnect_server.toml	52
behavior/rules/windows/initial_access_potential_winrar_cve_2023_38831_exploitation.toml	61
behavior/rules/windows/initial_access_powershell_obfuscation_spawned_via_microsoft_office.toml	114
behavior/rules/windows/initial_access_process_creation_via_microsoft_office_add_ins.toml	65
behavior/rules/windows/initial_access_registry_modification_via_microsoft_office.toml	92
behavior/rules/windows/initial_access_rundll32_regsvr32_loads_dropped_executable.toml	124
behavior/rules/windows/initial_access_script_file_written_by_microsoft_office_process.toml	98
behavior/rules/windows/initial_access_shortcut_file_modification_via_macro_enabled_document.toml	69
behavior/rules/windows/initial_access_signed_binary_execution_via_microsoft_office.toml	107
behavior/rules/windows/initial_access_suspicious_execution_from_a_pdf_documents.toml	45
behavior/rules/windows/initial_access_suspicious_execution_from_inet_cache.toml	71
behavior/rules/windows/initial_access_suspicious_execution_via_a_mounted_image_file.toml	47
behavior/rules/windows/initial_access_suspicious_execution_via_compiled_html_file.toml	73
behavior/rules/windows/initial_access_suspicious_execution_via_microsoft_officecmd_url_handler.toml	36
behavior/rules/windows/initial_access_suspicious_execution_via_shellbrowserwindow_shellwindow_com.toml	112
behavior/rules/windows/initial_access_suspicious_file_delivery_via_html_smuggling.toml	73
behavior/rules/windows/initial_access_suspicious_file_dropped_by_a_macro_enabled_document.toml	47
behavior/rules/windows/initial_access_suspicious_microsoft_html_help_descendant.toml	75
behavior/rules/windows/initial_access_suspicious_microsoft_iis_worker_descendant.toml	83
behavior/rules/windows/initial_access_suspicious_microsoft_office_child_process.toml	118
behavior/rules/windows/initial_access_suspicious_microsoft_office_embedded_object.toml	54
behavior/rules/windows/initial_access_suspicious_microsoft_onenote_child_process.toml	84
behavior/rules/windows/initial_access_suspicious_ms_office_execution_via_dcom.toml	65
behavior/rules/windows/initial_access_suspicious_network_connection_from_microsoft_equation_editor.toml	56
behavior/rules/windows/initial_access_suspicious_registry_modification_via_wmi.toml	197
behavior/rules/windows/initial_access_suspicious_shortcut_file_overwrite.toml	61
behavior/rules/windows/initial_access_suspicious_virtualprotect_via_jscript9_from_internet_explorer.toml	112
behavior/rules/windows/initial_access_untrusted_document_opened_via_microsoft_office.toml	121
behavior/rules/windows/initial_access_untrusted_file_execution_via_microsoft_office.toml	49
behavior/rules/windows/initial_access_windows_command_shell_spawned_via_microsoft_office.toml	93
behavior/rules/windows/initial_access_wmi_image_load_via_microsoft_office.toml	85
behavior/rules/windows/initial_access_wps_office_exploit_via_dll_hijack.toml	50
behavior/rules/windows/lateral_movement_execution_of_a_file_dropped_from_smb.toml	172
behavior/rules/windows/lateral_movement_execution_of_a_file_dropped_from_smb_via_services.toml	181
behavior/rules/windows/lateral_movement_imageload_of_a_file_dropped_via_smb.toml	84
behavior/rules/windows/lateral_movement_lateral_execution_via_dcom_office_application.toml	41
behavior/rules/windows/lateral_movement_potential_lateral_movement_via_smbexec.toml	58
behavior/rules/windows/lateral_movement_potential_remote_execution_via_imsiserver.toml	54
behavior/rules/windows/lateral_movement_suspicious_nullsessionpipe_registry_modification.toml	64
behavior/rules/windows/lateral_movement_suspicious_process_execution_via_network_logon.toml	356
behavior/rules/windows/lateral_movement_unexpected_smb_connection_from_user_mode_process.toml	71
behavior/rules/windows/lateral_movement_unsigned_file_execution_via_network_logon.toml	58
behavior/rules/windows/lateral_movement_unusual_remote_desktop_client_process.toml	62
behavior/rules/windows/persistence_browser_native_messaging_registry_modification.toml	56
behavior/rules/windows/persistence_chromium_extension_loaded_from_unusual_parent.toml	74
behavior/rules/windows/persistence_component_object_model_registry_modification_by_a_low_reputation_process.toml	52
behavior/rules/windows/persistence_dual_persistence_via_startup_and_scheduled_task.toml	86
behavior/rules/windows/persistence_microsoft_office_addin_creation.toml	43
behavior/rules/windows/persistence_microsoft_office_addin_loaded.toml	58
behavior/rules/windows/persistence_network_connection_via_startup_item.toml	87
behavior/rules/windows/persistence_office_application_startup_via_template_file_modification.toml	57
behavior/rules/windows/persistence_persistence_via_a_process_from_a_removable_or_mounted_iso_device.toml	92
behavior/rules/windows/persistence_persistence_via_autodialdll_registry_modification.toml	43
behavior/rules/windows/persistence_persistence_via_bits_setnotifycmdline_method.toml	58
behavior/rules/windows/persistence_persistence_via_extensible_firmware_modification.toml	79
behavior/rules/windows/persistence_persistence_via_winsock_name_space_dll.toml	49
behavior/rules/windows/persistence_potential_execution_via_shortcut_modification.toml	62
behavior/rules/windows/persistence_registry_or_file_modification_from_suspicious_memory.toml	135
behavior/rules/windows/persistence_registry_persistence_via_microsoft_office_descendant_process.toml	98
behavior/rules/windows/persistence_registry_run_key_modified_by_unusual_process.toml	142
behavior/rules/windows/persistence_registry_run_key_prefixed_with_asterisk.toml	63
behavior/rules/windows/persistence_scheduled_task_by_a_low_reputation_process.toml	55
behavior/rules/windows/persistence_scheduled_task_creation_by_an_unusual_process.toml	160
behavior/rules/windows/persistence_scheduled_task_creation_from_suspicious_parent.toml	63
behavior/rules/windows/persistence_scheduled_task_creation_via_unsigned_parent.toml	55
behavior/rules/windows/persistence_scheduled_task_from_a_browser_or_compression_utility_descendant.toml	68
behavior/rules/windows/persistence_scheduled_task_from_a_removable_or_mounted_iso_device.toml	69
behavior/rules/windows/persistence_script_file_written_to_startup_folder.toml	41
behavior/rules/windows/persistence_script_interpreter_process_writing_to_commonly_abused_persistence_locations.toml	91
behavior/rules/windows/persistence_self_service_persistence_by_an_unsigned_process.toml	93
behavior/rules/windows/persistence_startup_persistence_by_a_low_reputation_process.toml	105
behavior/rules/windows/persistence_startup_persistence_from_a_browser_or_compression_utility_descendant.toml	100
behavior/rules/windows/persistence_startup_persistence_from_backed_rwx_memory.toml	65
behavior/rules/windows/persistence_startup_persistence_via_microsoft_office_descendant_process.toml	75
behavior/rules/windows/persistence_startup_persistence_via_unusual_process.toml	63
behavior/rules/windows/persistence_startup_persistence_via_windows_script_interpreter.toml	97
behavior/rules/windows/persistence_suspicious_api_from_an_unsigned_service_dll.toml	53
behavior/rules/windows/persistence_suspicious_browser_files_modification.toml	55
behavior/rules/windows/persistence_suspicious_browser_preferences_file_modification.toml	59
behavior/rules/windows/persistence_suspicious_component_object_model_registry_modification.toml	79
behavior/rules/windows/persistence_suspicious_execution_via_microsoft_exchange_transport_agent.toml	38
behavior/rules/windows/persistence_suspicious_image_file_execution_options_modification.toml	81
behavior/rules/windows/persistence_suspicious_scheduled_task_creation.toml	66
behavior/rules/windows/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml	69
behavior/rules/windows/persistence_suspicious_scheduled_task_registry_modification.toml	54
behavior/rules/windows/persistence_suspicious_service_imagepath_value.toml	42
behavior/rules/windows/persistence_suspicious_shortcut_modification.toml	85
behavior/rules/windows/persistence_suspicious_startup_persistence_via_a_windows_installer.toml	71
behavior/rules/windows/persistence_suspicious_string_value_written_to_registry_run_key.toml	146
behavior/rules/windows/persistence_suspicious_svchost_registry_modification.toml	57
behavior/rules/windows/persistence_suspicious_windows_authentication_registry_modification.toml	99
behavior/rules/windows/persistence_suspicious_windows_schedule_child_process.toml	167
behavior/rules/windows/persistence_suspicious_windows_service_dll_creation.toml	82
behavior/rules/windows/persistence_suspicious_wmi_event_consumer_subscription.toml	41
behavior/rules/windows/persistence_uncommon_persistence_via_registry_modification.toml	72
behavior/rules/windows/persistence_untrusted_process_writing_to_commonly_abused_persistence_locations.toml	71
behavior/rules/windows/persistence_unusual_file_written_or_modified_in_startup_folder.toml	90
behavior/rules/windows/persistence_unusual_startup_shell_folder_modification.toml	70
behavior/rules/windows/persistence_windows_service_configuration_hjack.toml	47
behavior/rules/windows/privilege_escalation_access_token_manipulation_via_child_process.toml	97
behavior/rules/windows/privilege_escalation_driver_dropped_by_untrusted_executable.toml	65
behavior/rules/windows/privilege_escalation_elevation_via_common_log_file_system_exploitation.toml	44
behavior/rules/windows/privilege_escalation_interactive_logon_by_a_suspicious_process.toml	84
behavior/rules/windows/privilege_escalation_kernel_driver_registered_via_ntloaddriver.toml	53
behavior/rules/windows/privilege_escalation_msi_rollback_script_file_by_unusual_process.toml	60
behavior/rules/windows/privilege_escalation_networkcleartext_logon_by_a_suspicious_process.toml	65
behavior/rules/windows/privilege_escalation_newcredential_logon_by_a_suspicious_process.toml	73
behavior/rules/windows/privilege_escalation_potential_common_log_file_system_exploit.toml	37
behavior/rules/windows/privilege_escalation_potential_common_log_file_system_vulnerability_exploitation.toml	39
behavior/rules/windows/privilege_escalation_potential_execution_via_token_theft.toml	110
behavior/rules/windows/privilege_escalation_potential_exploitation_via_comdotnet_exploit.toml	49
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_cve_2022_38028.toml	45
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_dll_redirection.toml	63
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_elevated_ifileoperation.toml	87
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_file_redirection.toml	99
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_localpotato_exploit.toml	43
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_logonui.toml	41
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_missing_dll.toml	97
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_msi_repair.toml	45
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_rogue_winrm.toml	56
behavior/rules/windows/privilege_escalation_potential_privilege_escalation_via_token_impersonation.toml	91
behavior/rules/windows/privilege_escalation_potential_uac_bypass_via_ielevatedfactoryserver.toml	59
behavior/rules/windows/privilege_escalation_privilege_escalation_via_extended_startupinfo.toml	108
behavior/rules/windows/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml	44
behavior/rules/windows/privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml	50
behavior/rules/windows/privilege_escalation_privilege_escalation_via_seimpersonateprivilege.toml	94
behavior/rules/windows/privilege_escalation_privilege_escalation_via_windir_or_systemroot_environment_variable.toml	43
behavior/rules/windows/privilege_escalation_privilege_escalation_via_windows_installer_hijack.toml	64
behavior/rules/windows/privilege_escalation_process_creation_via_secondary_logon.toml	58
behavior/rules/windows/privilege_escalation_suspicious_execution_as_system_via_windows_command_shell.toml	48
behavior/rules/windows/privilege_escalation_suspicious_execution_via_windows_services.toml	200
behavior/rules/windows/privilege_escalation_suspicious_impersonation_as_trusted_installer.toml	113
behavior/rules/windows/privilege_escalation_suspicious_kernel_mode_address_manipulation.toml	42
behavior/rules/windows/privilege_escalation_suspicious_ntoskrnl_image_load.toml	44
behavior/rules/windows/privilege_escalation_suspicious_registry_symbolic_link.toml	52
behavior/rules/windows/privilege_escalation_suspicious_windows_service_execution.toml	47
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_cdssync_scheduled_task_hijack.toml	60
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_consent_dll_search_order_hijacking.toml	75
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dccw_dll_search_order_hijacking.toml	76
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dismcore_dll_side_loading.toml	70
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_dll_side_loading_from_windows_media_player_folder.toml	59
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_elevated_com_internet_explorer_add_on_installer.toml	45
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_mmc_dll_search_order_hijacking.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_silentcleanup_task_dll_search_order_hijacking.toml	57
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_windows_directory_masquerading.toml	45
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_via_wow64_logger_dll_side_loading.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_attempt_with_ieditionupgrademanager_elevated_com_interface.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_computerdefaults_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_control_panel_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_delegateexecute_registry_modification.toml	66
behavior/rules/windows/privilege_escalation_uac_bypass_via_diskcleanup_scheduled_task_hijack.toml	50
behavior/rules/windows/privilege_escalation_uac_bypass_via_event_viewer.toml	65
behavior/rules/windows/privilege_escalation_uac_bypass_via_fodhelper_execution_hijack.toml	46
behavior/rules/windows/privilege_escalation_uac_bypass_via_hijacking_winmgmt_mmc.toml	66
behavior/rules/windows/privilege_escalation_uac_bypass_via_icmluautil_elevated_com_interface.toml	53
behavior/rules/windows/privilege_escalation_uac_bypass_via_malicious_mmc_snap_in_execution.toml	47
behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml	50
behavior/rules/windows/privilege_escalation_uac_bypass_via_unsafe_deserialization_in_event_viewer.toml	58
behavior/rules/windows/privilege_escalation_uac_bypass_via_windows_activation_execution_hijack.toml	54
behavior/rules/windows/privilege_escalation_uac_bypass_via_windows_firewall_snap_in_hijack.toml	64
behavior/rules/windows/privilege_escalation_uac_bypass_via_wsreset_execution_hijack.toml	53
behavior/rules/windows/privilege_escalation_unsigned_dll_loaded_from_fake_windows_directory.toml	63
behavior/rules/windows/privilege_escalation_untrusted_dll_loaded_by_a_system_windows_process.toml	69
behavior/rules/windows/privilege_escalation_unusual_child_process_integrity_level.toml	59
behavior/rules/windows/privilege_escalation_unusual_desktop_window_manager_child_process.toml	44
behavior/rules/windows/privilege_escalation_unusual_privilege_escalation_to_system.toml	59
ransomware/artifact.lua	3044
ransomware/testing/mock_ransomware.ps1	78
ransomware/testing/mock_ransomware.py	61
yara/rules/Linux_Backdoor_Bash.yar	19
yara/rules/Linux_Backdoor_Fontonlake.yar	29
yara/rules/Linux_Backdoor_Generic.yar	38
yara/rules/Linux_Backdoor_Python.yar	19
yara/rules/Linux_Backdoor_Tinyshell.yar	22
yara/rules/Linux_Cryptominer_Attribute.yar	19
yara/rules/Linux_Cryptominer_Bscope.yar	19
yara/rules/Linux_Cryptominer_Bulz.yar	36
yara/rules/Linux_Cryptominer_Camelot.yar	282
yara/rules/Linux_Cryptominer_Casdet.yar	19
yara/rules/Linux_Cryptominer_Ccminer.yar	38
yara/rules/Linux_Cryptominer_Flystudio.yar	37
yara/rules/Linux_Cryptominer_Generic.yar	855
yara/rules/Linux_Cryptominer_Ksmdbot.yar	23
yara/rules/Linux_Cryptominer_Loudminer.yar	57
yara/rules/Linux_Cryptominer_Malxmr.yar	303
yara/rules/Linux_Cryptominer_Miancha.yar	19
yara/rules/Linux_Cryptominer_Minertr.yar	19
yara/rules/Linux_Cryptominer_Pgminer.yar	38
yara/rules/Linux_Cryptominer_Presenoker.yar	19
yara/rules/Linux_Cryptominer_Roboto.yar	38
yara/rules/Linux_Cryptominer_Stak.yar	94
yara/rules/Linux_Cryptominer_Ursu.yar	19
yara/rules/Linux_Cryptominer_Uwamson.yar	76
yara/rules/Linux_Cryptominer_Xmrig.yar	225
yara/rules/Linux_Cryptominer_Xmrminer.yar	226
yara/rules/Linux_Cryptominer_Xpaj.yar	19
yara/rules/Linux_Cryptominer_Zexaf.yar	19
yara/rules/Linux_Downloader_Generic.yar	19
yara/rules/Linux_Exploit_Abrox.yar	19
yara/rules/Linux_Exploit_Alie.yar	19
yara/rules/Linux_Exploit_CVE_2009_1897.yar	19
yara/rules/Linux_Exploit_CVE_2009_2698.yar	38
yara/rules/Linux_Exploit_CVE_2009_2908.yar	19
yara/rules/Linux_Exploit_CVE_2010_3301.yar	57
yara/rules/Linux_Exploit_CVE_2012_0056.yar	57
yara/rules/Linux_Exploit_CVE_2014_3153.yar	19
yara/rules/Linux_Exploit_CVE_2016_4557.yar	19
yara/rules/Linux_Exploit_CVE_2016_5195.yar	304
yara/rules/Linux_Exploit_CVE_2017_100011.yar	19
yara/rules/Linux_Exploit_CVE_2017_16995.yar	57
yara/rules/Linux_Exploit_CVE_2018_10561.yar	19
yara/rules/Linux_Exploit_CVE_2019_13272.yar	19
yara/rules/Linux_Exploit_CVE_2021_3156.yar	44
yara/rules/Linux_Exploit_CVE_2021_3490.yar	30
yara/rules/Linux_Exploit_CVE_2021_4034.yar	20
yara/rules/Linux_Exploit_CVE_2022_0847.yar	27
yara/rules/Linux_Exploit_Cornelgen.yar	57
yara/rules/Linux_Exploit_Courier.yar	19
yara/rules/Linux_Exploit_Criscras.yar	19
yara/rules/Linux_Exploit_Dirtycow.yar	19
yara/rules/Linux_Exploit_Enoket.yar	114
yara/rules/Linux_Exploit_Foda.yar	19
yara/rules/Linux_Exploit_IOUring.yar	21
yara/rules/Linux_Exploit_Intfour.yar	19
yara/rules/Linux_Exploit_Local.yar	228
yara/rules/Linux_Exploit_Log4j.yar	25
yara/rules/Linux_Exploit_Lotoor.yar	304
yara/rules/Linux_Exploit_Moogrey.yar	19
yara/rules/Linux_Exploit_Openssl.yar	19
yara/rules/Linux_Exploit_Perl.yar	38
yara/rules/Linux_Exploit_Pulse.yar	38
yara/rules/Linux_Exploit_Race.yar	19
yara/rules/Linux_Exploit_Ramen.yar	19
yara/rules/Linux_Exploit_Sorso.yar	57
yara/rules/Linux_Exploit_Vmsplice.yar	95
yara/rules/Linux_Exploit_Wuftpd.yar	19
yara/rules/Linux_Generic_Threat.yar	1174
yara/rules/Linux_Hacktool_Aduh.yar	19
yara/rules/Linux_Hacktool_Bruteforce.yar	57
yara/rules/Linux_Hacktool_Cleanlog.yar	57
yara/rules/Linux_Hacktool_Earthworm.yar	57
yara/rules/Linux_Hacktool_Exploitscan.yar	19
yara/rules/Linux_Hacktool_Flooder.yar	607
yara/rules/Linux_Hacktool_Fontonlake.yar	30
yara/rules/Linux_Hacktool_Infectionmonkey.yar	19
yara/rules/Linux_Hacktool_Lightning.yar	70
yara/rules/Linux_Hacktool_LigoloNG.yar	21
yara/rules/Linux_Hacktool_Outlaw.yar	84
yara/rules/Linux_Hacktool_Portscan.yar	76
yara/rules/Linux_Hacktool_Prochide.yar	19
yara/rules/Linux_Hacktool_Tcpscan.yar	19
yara/rules/Linux_Hacktool_Wipelog.yar	29
yara/rules/Linux_Packer_Patched_UPX.yar	20
yara/rules/Linux_Proxy_Frp.yar	28
yara/rules/Linux_Ransomware_Agenda.yar	22
yara/rules/Linux_Ransomware_Akira.yar	41
yara/rules/Linux_Ransomware_Babuk.yar	20
yara/rules/Linux_Ransomware_BlackBasta.yar	25
yara/rules/Linux_Ransomware_BlackSuit.yar	21
yara/rules/Linux_Ransomware_Clop.yar	22
yara/rules/Linux_Ransomware_Conti.yar	41
yara/rules/Linux_Ransomware_EchoRaix.yar	39
yara/rules/Linux_Ransomware_Erebus.yar	21
yara/rules/Linux_Ransomware_Esxiargs.yar	23
yara/rules/Linux_Ransomware_Gonnacry.yar	19
yara/rules/Linux_Ransomware_Hellokitty.yar	21
yara/rules/Linux_Ransomware_Hive.yar	19
yara/rules/Linux_Ransomware_ItsSoEasy.yar	20
yara/rules/Linux_Ransomware_LimpDemon.yar	22
yara/rules/Linux_Ransomware_Lockbit.yar	45
yara/rules/Linux_Ransomware_Monti.yar	22
yara/rules/Linux_Ransomware_NoEscape.yar	21
yara/rules/Linux_Ransomware_Quantum.yar	20
yara/rules/Linux_Ransomware_RagnarLocker.yar	21
yara/rules/Linux_Ransomware_RedAlert.yar	23
yara/rules/Linux_Ransomware_RoyalPest.yar	22
yara/rules/Linux_Ransomware_SFile.yar	20
yara/rules/Linux_Ransomware_Sodinokibi.yar	19
yara/rules/Linux_Rootkit_Adore.yar	19
yara/rules/Linux_Rootkit_Arkd.yar	19
yara/rules/Linux_Rootkit_Bedevil.yar	29
yara/rules/Linux_Rootkit_BrokePKG.yar	38
yara/rules/Linux_Rootkit_Dakkatoni.yar	19
yara/rules/Linux_Rootkit_Diamorphine.yar	53
yara/rules/Linux_Rootkit_Fontonlake.yar	26
yara/rules/Linux_Rootkit_Generic.yar	177
yara/rules/Linux_Rootkit_HiddenWasp.yar	34
yara/rules/Linux_Rootkit_Jynx.yar	29
yara/rules/Linux_Rootkit_Kovid.yar	47
yara/rules/Linux_Rootkit_Melofee.yar	27
yara/rules/Linux_Rootkit_Perfctl.yar	23
yara/rules/Linux_Rootkit_Reptile.yar	115
yara/rules/Linux_Rootkit_Snapekit.yar	56
yara/rules/Linux_Rootkit_Suterusu.yar	60
yara/rules/Linux_Shellcode_Generic.yar	152
yara/rules/Linux_Trojan_Adlibrary.yar	19
yara/rules/Linux_Trojan_Asacub.yar	19
yara/rules/Linux_Trojan_Azeela.yar	20
yara/rules/Linux_Trojan_BPFDoor.yar	169
yara/rules/Linux_Trojan_Backconnect.yar	19
yara/rules/Linux_Trojan_Backegmm.yar	19
yara/rules/Linux_Trojan_Badbee.yar	19
yara/rules/Linux_Trojan_Banload.yar	19
yara/rules/Linux_Trojan_Bedevil.yar	19
yara/rules/Linux_Trojan_Bish.yar	19
yara/rules/Linux_Trojan_Bluez.yar	19
yara/rules/Linux_Trojan_Cerbu.yar	19
yara/rules/Linux_Trojan_Chinaz.yar	19
yara/rules/Linux_Trojan_Connectback.yar	19
yara/rules/Linux_Trojan_Ddostf.yar	94
yara/rules/Linux_Trojan_DinodasRAT.yar	24
yara/rules/Linux_Trojan_Dnsamp.yar	19
yara/rules/Linux_Trojan_Dofloo.yar	57
yara/rules/Linux_Trojan_Dropperl.yar	133
yara/rules/Linux_Trojan_Ebury.yar	18
yara/rules/Linux_Trojan_FinalDraft.yar	33
yara/rules/Linux_Trojan_Gafgyt.yar	1392
yara/rules/Linux_Trojan_Ganiw.yar	37
yara/rules/Linux_Trojan_Generic.yar	328
yara/rules/Linux_Trojan_Getshell.yar	76
yara/rules/Linux_Trojan_Godlua.yar	18
yara/rules/Linux_Trojan_Godropper.yar	19
yara/rules/Linux_Trojan_Gognt.yar	38
yara/rules/Linux_Trojan_Hiddad.yar	19
yara/rules/Linux_Trojan_Ipstorm.yar	57
yara/rules/Linux_Trojan_Ircbot.yar	38
yara/rules/Linux_Trojan_Iroffer.yar	95
yara/rules/Linux_Trojan_Kaiji.yar	76
yara/rules/Linux_Trojan_Kinsing.yar	75
yara/rules/Linux_Trojan_Ladvix.yar	75
yara/rules/Linux_Trojan_Lady.yar	19
yara/rules/Linux_Trojan_Lala.yar	19
yara/rules/Linux_Trojan_Malxmr.yar	38
yara/rules/Linux_Trojan_Marut.yar	18
yara/rules/Linux_Trojan_Masan.yar	19
yara/rules/Linux_Trojan_Mech.yar	19
yara/rules/Linux_Trojan_Mechbot.yar	19
yara/rules/Linux_Trojan_Melofee.yar	24
yara/rules/Linux_Trojan_Merlin.yar	57
yara/rules/Linux_Trojan_Metasploit.yar	425
yara/rules/Linux_Trojan_Meterpreter.yar	73
yara/rules/Linux_Trojan_Mettle.yar	79
yara/rules/Linux_Trojan_Mirai.yar	1862
yara/rules/Linux_Trojan_Mobidash.yar	243
yara/rules/Linux_Trojan_Mumblehard.yar	19
yara/rules/Linux_Trojan_Ngioweb.yar	170
yara/rules/Linux_Trojan_Nuker.yar	19
yara/rules/Linux_Trojan_Orbit.yar	40
yara/rules/Linux_Trojan_Patpooty.yar	38
yara/rules/Linux_Trojan_Pnscan.yar	19
yara/rules/Linux_Trojan_Pornoasset.yar	19
yara/rules/Linux_Trojan_Psybnc.yar	57
yara/rules/Linux_Trojan_Pumakit.yar	30
yara/rules/Linux_Trojan_Rbot.yar	57
yara/rules/Linux_Trojan_Rekoobe.yar	133
yara/rules/Linux_Trojan_Roopre.yar	38
yara/rules/Linux_Trojan_Rooter.yar	19
yara/rules/Linux_Trojan_Rotajakiro.yar	19
yara/rules/Linux_Trojan_Rozena.yar	19
yara/rules/Linux_Trojan_Sambashell.yar	19
yara/rules/Linux_Trojan_Sckit.yar	19
yara/rules/Linux_Trojan_Sdbot.yar	19
yara/rules/Linux_Trojan_Setag.yar	37
yara/rules/Linux_Trojan_Sfloost.yar	19
yara/rules/Linux_Trojan_Shark.yar	19
yara/rules/Linux_Trojan_Shellbot.yar	19
yara/rules/Linux_Trojan_Skidmap.yar	56
yara/rules/Linux_Trojan_Snessik.yar	38
yara/rules/Linux_Trojan_Snowlight.yar	20
yara/rules/Linux_Trojan_Springtail.yar	24
yara/rules/Linux_Trojan_Sqlexp.yar	19
yara/rules/Linux_Trojan_Sshdkit.yar	19
yara/rules/Linux_Trojan_Sshdoor.yar	133
yara/rules/Linux_Trojan_Subsevux.yar	19
yara/rules/Linux_Trojan_Swrort.yar	57
yara/rules/Linux_Trojan_Sysrv.yar	19
yara/rules/Linux_Trojan_Torii.yar	19
yara/rules/Linux_Trojan_Truncpx.yar	19
yara/rules/Linux_Trojan_Tsunami.yar	512
yara/rules/Linux_Trojan_Winnti.yar	76
yara/rules/Linux_Trojan_XZBackdoor.yar	23
yara/rules/Linux_Trojan_Xhide.yar	57
yara/rules/Linux_Trojan_Xorddos.yar	453
yara/rules/Linux_Trojan_Xpmmap.yar	19
yara/rules/Linux_Trojan_Zerobot.yar	50
yara/rules/Linux_Trojan_Zpevdo.yar	18
yara/rules/Linux_Virus_Gmon.yar	38
yara/rules/Linux_Virus_Rst.yar	19
yara/rules/Linux_Virus_Staffcounter.yar	19
yara/rules/Linux_Virus_Thebe.yar	19
yara/rules/Linux_Webshell_Generic.yar	38
yara/rules/Linux_Worm_Generic.yar	76
yara/rules/MacOS_Backdoor_Applejeus.yar	19
yara/rules/MacOS_Backdoor_Fakeflashlxk.yar	21
yara/rules/MacOS_Backdoor_Kagent.yar	25
yara/rules/MacOS_Backdoor_Keyboardrecord.yar	23
yara/rules/MacOS_Backdoor_Useragent.yar	23
yara/rules/MacOS_Creddump_KeychainAccess.yar	25
yara/rules/MacOS_Cryptominer_Generic.yar	59
yara/rules/MacOS_Cryptominer_Xmrig.yar	22
yara/rules/MacOS_Exploit_Log4j.yar	24
yara/rules/MacOS_Hacktool_Bifrost.yar	27
yara/rules/MacOS_Hacktool_Swiftbelt.yar	44
yara/rules/MacOS_Infostealer_MdQueryPassw.yar	19
yara/rules/MacOS_Infostealer_MdQuerySecret.yar	19
yara/rules/MacOS_Infostealer_MdQueryTCC.yar	19
yara/rules/MacOS_Infostealer_MdQueryToken.yar	19
yara/rules/MacOS_Trojan_Adload.yar	57
yara/rules/MacOS_Trojan_Amcleaner.yar	57
yara/rules/MacOS_Trojan_Aobokeylogger.yar	19
yara/rules/MacOS_Trojan_Bundlore.yar	209
yara/rules/MacOS_Trojan_Eggshell.yar	23
yara/rules/MacOS_Trojan_Electrorat.yar	22
yara/rules/MacOS_Trojan_Fplayer.yar	19
yara/rules/MacOS_Trojan_Generic.yar	19
yara/rules/MacOS_Trojan_Genieo.yar	76
yara/rules/MacOS_Trojan_Getshell.yar	19
yara/rules/MacOS_Trojan_HLoader.yar	21
yara/rules/MacOS_Trojan_KandyKorn.yar	29
yara/rules/MacOS_Trojan_Metasploit.yar	261
yara/rules/MacOS_Trojan_RustBucket.yar	22
yara/rules/MacOS_Trojan_SugarLoader.yar	23
yara/rules/MacOS_Trojan_Thiefquest.yar	117
yara/rules/MacOS_Virus_Maxofferdeal.yar	76
yara/rules/MacOS_Virus_Pirrit.yar	19
yara/rules/MacOS_Virus_Vsearch.yar	36
yara/rules/Macos_Hacktool_JokerSpy.yar	25
yara/rules/Macos_Infostealer_EncodedOsascript.yar	21
yara/rules/Macos_Infostealer_Wallets.yar	111
yara/rules/Multi_AttackSimulation_Blindspot.yar	18
yara/rules/Multi_Cryptominer_Xmrig.yar	25
yara/rules/Multi_EICAR.yar	18
yara/rules/Multi_Generic_Threat.yar	19
yara/rules/Multi_Hacktool_Gsocket.yar	32
yara/rules/Multi_Hacktool_Nps.yar	49
yara/rules/Multi_Hacktool_Rakshasa.yar	24
yara/rules/Multi_Hacktool_Stowaway.yar	27
yara/rules/Multi_Hacktool_SuperShell.yar	22
yara/rules/Multi_Ransomware_Akira.yar	19
yara/rules/Multi_Ransomware_BlackCat.yar	129
yara/rules/Multi_Ransomware_Luna.yar	27
yara/rules/Multi_Ransomware_RansomHub.yar	26
yara/rules/Multi_Trojan_Coreimpact.yar	23
yara/rules/Multi_Trojan_FinalDraft.yar	46
yara/rules/Multi_Trojan_Gosar.yar	25
yara/rules/Multi_Trojan_Merlin.yar	28
yara/rules/Multi_Trojan_Mythic.yar	87
yara/rules/Multi_Trojan_Sliver.yar	86
yara/rules/Multi_Trojan_SparkRat.yar	21
yara/rules/Windows_AttackSimulation_Hovercraft.yar	20
yara/rules/Windows_Backdoor_DragonCastling.yar	27
yara/rules/Windows_Backdoor_Goldbackdoor.yar	50
yara/rules/Windows_Backdoor_TeamViewer.yar	25
yara/rules/Windows_Clickfraud_LuckySlots.yar	25
yara/rules/Windows_Cryptominer_Generic.yar	38
yara/rules/Windows_Exploit_CVE_2022_38028.yar	19
yara/rules/Windows_Exploit_Dcom.yar	19
yara/rules/Windows_Exploit_Eternalblue.yar	19
yara/rules/Windows_Exploit_FakePipe.yar	22
yara/rules/Windows_Exploit_Generic.yar	85
yara/rules/Windows_Exploit_IoRing.yar	22
yara/rules/Windows_Exploit_Log4j.yar	24
yara/rules/Windows_Exploit_Perfusion.yar	22
yara/rules/Windows_Exploit_RpcJunction.yar	21
yara/rules/Windows_Generic_MalCert.yar	2224
yara/rules/Windows_Generic_Threat.yar	3502
yara/rules/Windows_Hacktool_AskCreds.yar	20
yara/rules/Windows_Hacktool_BlackBone.yar	19
yara/rules/Windows_Hacktool_COFFLoader.yar	43
yara/rules/Windows_Hacktool_Capcom.yar	20
yara/rules/Windows_Hacktool_Certify.yar	27
yara/rules/Windows_Hacktool_CheatEngine.yar	20
yara/rules/Windows_Hacktool_ChromeKatz.yar	28
yara/rules/Windows_Hacktool_ClrOxide.yar	25
yara/rules/Windows_Hacktool_CpuLocker.yar	19
yara/rules/Windows_Hacktool_DarkLoadLibrary.yar	29
yara/rules/Windows_Hacktool_Dcsyncer.yar	23
yara/rules/Windows_Hacktool_DinvokeRust.yar	24
yara/rules/Windows_Hacktool_EDRWFP.yar	22
yara/rules/Windows_Hacktool_EDRrecon.yar	114
yara/rules/Windows_Hacktool_ExecuteAssembly.yar	20
yara/rules/Windows_Hacktool_Gmer.yar	19
yara/rules/Windows_Hacktool_GodPotato.yar	28
yara/rules/Windows_Hacktool_Iox.yar	23
yara/rules/Windows_Hacktool_LeiGod.yar	38
yara/rules/Windows_Hacktool_Mimikatz.yar	170
yara/rules/Windows_Hacktool_NetFilter.yar	76
yara/rules/Windows_Hacktool_Phant0m.yar	24
yara/rules/Windows_Hacktool_PhysMem.yar	39
yara/rules/Windows_Hacktool_ProcessHacker.yar	19
yara/rules/Windows_Hacktool_RingQ.yar	25
yara/rules/Windows_Hacktool_Rubeus.yar	27
yara/rules/Windows_Hacktool_SafetyKatz.yar	23
yara/rules/Windows_Hacktool_Seatbelt.yar	26
yara/rules/Windows_Hacktool_SharPersist.yar	23
yara/rules/Windows_Hacktool_SharpAppLocker.yar	22
yara/rules/Windows_Hacktool_SharpChromium.yar	23
yara/rules/Windows_Hacktool_SharpDump.yar	23
yara/rules/Windows_Hacktool_SharpGPOAbuse.yar	26
yara/rules/Windows_Hacktool_SharpHound.yar	23
yara/rules/Windows_Hacktool_SharpLAPS.yar	26
yara/rules/Windows_Hacktool_SharpMove.yar	23
yara/rules/Windows_Hacktool_SharpRDP.yar	23
yara/rules/Windows_Hacktool_SharpSCCM.yar	31
yara/rules/Windows_Hacktool_SharpShares.yar	30
yara/rules/Windows_Hacktool_SharpStay.yar	23
yara/rules/Windows_Hacktool_SharpUp.yar	25
yara/rules/Windows_Hacktool_SharpView.yar	34
yara/rules/Windows_Hacktool_SharpWMI.yar	27
yara/rules/Windows_Hacktool_SleepObfLoader.yar	22
yara/rules/Windows_Hacktool_WinPEAS_ng.yar	340
yara/rules/Windows_Infostealer_Generic.yar	23
yara/rules/Windows_Infostealer_PhemedroneStealer.yar	30
yara/rules/Windows_Infostealer_Strela.yar	25
yara/rules/Windows_PUP_Generic.yar	20
yara/rules/Windows_PUP_MediaArena.yar	25
yara/rules/Windows_PUP_Veriato.yar	21
yara/rules/Windows_Packer_ScrubCrypt.yar	20
yara/rules/Windows_Ransomware_Agenda.yar	22
yara/rules/Windows_Ransomware_Akira.yar	24
yara/rules/Windows_Ransomware_Avoslocker.yar	23
yara/rules/Windows_Ransomware_Azov.yar	23
yara/rules/Windows_Ransomware_Bitpaymer.yar	47
yara/rules/Windows_Ransomware_BlackBasta.yar	27
yara/rules/Windows_Ransomware_BlackHunt.yar	25
yara/rules/Windows_Ransomware_Blackmatter.yar	38
yara/rules/Windows_Ransomware_Cicada3301.yar	23
yara/rules/Windows_Ransomware_Clop.yar	89
yara/rules/Windows_Ransomware_Conti.yar	19
yara/rules/Windows_Ransomware_Crytox.yar	19
yara/rules/Windows_Ransomware_Cuba.yar	43
yara/rules/Windows_Ransomware_Darkside.yar	38
yara/rules/Windows_Ransomware_Dharma.yar	83
yara/rules/Windows_Ransomware_Doppelpaymer.yar	61
yara/rules/Windows_Ransomware_Egregor.yar	47
yara/rules/Windows_Ransomware_GandCrab.yar	21
yara/rules/Windows_Ransomware_Generic.yar	22
yara/rules/Windows_Ransomware_Grief.yar	19
yara/rules/Windows_Ransomware_Haron.yar	40
yara/rules/Windows_Ransomware_Hellokitty.yar	78
yara/rules/Windows_Ransomware_Helloxd.yar	26
yara/rules/Windows_Ransomware_Hive.yar	63
yara/rules/Windows_Ransomware_Lockbit.yar	65
yara/rules/Windows_Ransomware_Lockfile.yar	22
yara/rules/Windows_Ransomware_Magniber.yar	38
yara/rules/Windows_Ransomware_Makop.yar	43
yara/rules/Windows_Ransomware_Maui.yar	29
yara/rules/Windows_Ransomware_Maze.yar	91
yara/rules/Windows_Ransomware_Medusa.yar	24
yara/rules/Windows_Ransomware_Mespinoza.yar	21
yara/rules/Windows_Ransomware_Mountlocker.yar	23
yara/rules/Windows_Ransomware_Nightsky.yar	41
yara/rules/Windows_Ransomware_Pandora.yar	21
yara/rules/Windows_Ransomware_Ragnarok.yar	92
yara/rules/Windows_Ransomware_Ransomexx.yar	22
yara/rules/Windows_Ransomware_Rook.yar	19
yara/rules/Windows_Ransomware_Royal.yar	22
yara/rules/Windows_Ransomware_Ryuk.yar	152
yara/rules/Windows_Ransomware_Snake.yar	45
yara/rules/Windows_Ransomware_Sodinokibi.yar	89
yara/rules/Windows_Ransomware_Stop.yar	20
yara/rules/Windows_Ransomware_Vhd.yar	22
yara/rules/Windows_Ransomware_WannaCry.yar	26
yara/rules/Windows_Ransomware_WhisperGate.yar	42
yara/rules/Windows_RemoteAdmin_UltraVNC.yar	25
yara/rules/Windows_Rootkit_AbyssWorker.yar	23
yara/rules/Windows_Rootkit_R77.yar	136
yara/rules/Windows_Shellcode_Generic.yar	54
yara/rules/Windows_Shellcode_Rdi.yar	58
yara/rules/Windows_Trojan_A310logger.yar	23
yara/rules/Windows_Trojan_Afdk.yar	40
yara/rules/Windows_Trojan_AgentTesla.yar	144
yara/rules/Windows_Trojan_Amadey.yar	38
yara/rules/Windows_Trojan_ArkeiStealer.yar	19
yara/rules/Windows_Trojan_Asyncrat.yar	24
yara/rules/Windows_Trojan_AveMaria.yar	31
yara/rules/Windows_Trojan_Azorult.yar	23
yara/rules/Windows_Trojan_BITSloth.yar	27
yara/rules/Windows_Trojan_Babble.yar	20
yara/rules/Windows_Trojan_Babylonrat.yar	22
yara/rules/Windows_Trojan_Backoff.yar	23
yara/rules/Windows_Trojan_Bandook.yar	24
yara/rules/Windows_Trojan_Bazar.yar	76
yara/rules/Windows_Trojan_Beam.yar	41
yara/rules/Windows_Trojan_Behinder.yar	22
yara/rules/Windows_Trojan_Bitrat.yar	42
yara/rules/Windows_Trojan_BlackShades.yar	45
yara/rules/Windows_Trojan_Blackwood.yar	26
yara/rules/Windows_Trojan_Blister.yar	106
yara/rules/Windows_Trojan_BloodAlchemy.yar	102
yara/rules/Windows_Trojan_BruteRatel.yar	198
yara/rules/Windows_Trojan_Buerloader.yar	24
yara/rules/Windows_Trojan_Bughatch.yar	50
yara/rules/Windows_Trojan_Bumblebee.yar	45
yara/rules/Windows_Trojan_CaesarKbd.yar	19
yara/rules/Windows_Trojan_Carberp.yar	22
yara/rules/Windows_Trojan_Clipbanker.yar	84
yara/rules/Windows_Trojan_CobaltStrike.yar	1041
yara/rules/Windows_Trojan_Cryptbot.yar	23
yara/rules/Windows_Trojan_CyberGate.yar	62
yara/rules/Windows_Trojan_DBatLoader.yar	19
yara/rules/Windows_Trojan_DCRat.yar	24
yara/rules/Windows_Trojan_DTrack.yar	27
yara/rules/Windows_Trojan_Danabot.yar	26
yara/rules/Windows_Trojan_DarkCloud.yar	20
yara/rules/Windows_Trojan_DarkGate.yar	41
yara/rules/Windows_Trojan_DarkVNC.yar	23
yara/rules/Windows_Trojan_Darkcomet.yar	23
yara/rules/Windows_Trojan_Deimos.yar	43
yara/rules/Windows_Trojan_DiamondFox.yar	23
yara/rules/Windows_Trojan_Diceloader.yar	45
yara/rules/Windows_Trojan_DodgeBox.yar	23
yara/rules/Windows_Trojan_Donutloader.yar	56
yara/rules/Windows_Trojan_DoorMe.yar	25
yara/rules/Windows_Trojan_DoubleBack.yar	31
yara/rules/Windows_Trojan_DoubleLoader.yar	27
yara/rules/Windows_Trojan_DownTown.yar	43
yara/rules/Windows_Trojan_DragonBreath.yar	21
yara/rules/Windows_Trojan_DreamJob.yar	25
yara/rules/Windows_Trojan_Dridex.yar	39
yara/rules/Windows_Trojan_DustyWarehouse.yar	42
yara/rules/Windows_Trojan_EagerBee.yar	44
yara/rules/Windows_Trojan_Emotet.yar	160
yara/rules/Windows_Trojan_Fabookie.yar	20
yara/rules/Windows_Trojan_FalseFont.yar	26
yara/rules/Windows_Trojan_Farfli.yar	19
yara/rules/Windows_Trojan_Fickerstealer.yar	39
yara/rules/Windows_Trojan_FinalDraft.yar	28
yara/rules/Windows_Trojan_FlawedGrace.yar	23
yara/rules/Windows_Trojan_Formbook.yar	65
yara/rules/Windows_Trojan_Garble.yar	19
yara/rules/Windows_Trojan_Generic.yar	316
yara/rules/Windows_Trojan_Gh0st.yar	23
yara/rules/Windows_Trojan_GhostEngine.yar	26
yara/rules/Windows_Trojan_GhostPulse.yar	141
yara/rules/Windows_Trojan_Glupteba.yar	43
yara/rules/Windows_Trojan_Gozi.yar	59
yara/rules/Windows_Trojan_Grandoreiro.yar	23
yara/rules/Windows_Trojan_GuidLoader.yar	23
yara/rules/Windows_Trojan_Guloader.yar	68
yara/rules/Windows_Trojan_Hancitor.yar	21
yara/rules/Windows_Trojan_Havoc.yar	104
yara/rules/Windows_Trojan_Hawkeye.yar	47
yara/rules/Windows_Trojan_HazelCobra.yar	22
yara/rules/Windows_Trojan_HijackLoader.yar	24
yara/rules/Windows_Trojan_HotPage.yar	25
yara/rules/Windows_Trojan_IcedID.yar	357
yara/rules/Windows_Trojan_JesterStealer.yar	44
yara/rules/Windows_Trojan_Jupyter.yar	22
yara/rules/Windows_Trojan_Kronos.yar	27
yara/rules/Windows_Trojan_Latrodectus.yar	26
yara/rules/Windows_Trojan_LegionLoader.yar	19
yara/rules/Windows_Trojan_Limerat.yar	19
yara/rules/Windows_Trojan_Lobshot.yar	30
yara/rules/Windows_Trojan_Lokibot.yar	38
yara/rules/Windows_Trojan_Lumma.yar	59
yara/rules/Windows_Trojan_Lurker.yar	19
yara/rules/Windows_Trojan_M0yv.yar	21
yara/rules/Windows_Trojan_MagicRat.yar	26
yara/rules/Windows_Trojan_MassLogger.yar	24
yara/rules/Windows_Trojan_Mata.yar	19
yara/rules/Windows_Trojan_Matanbuchus.yar	60
yara/rules/Windows_Trojan_Merlin.yar	19
yara/rules/Windows_Trojan_MetaStealer.yar	55
yara/rules/Windows_Trojan_Metasploit.yar	355
yara/rules/Windows_Trojan_MicroBackdoor.yar	43
yara/rules/Windows_Trojan_ModPipe.yar	21
yara/rules/Windows_Trojan_MyloBot.yar	25
yara/rules/Windows_Trojan_Nanocore.yar	29
yara/rules/Windows_Trojan_NapListener.yar	45
yara/rules/Windows_Trojan_Netwire.yar	87
yara/rules/Windows_Trojan_Nighthawk.yar	72
yara/rules/Windows_Trojan_Nimplant.yar	21
yara/rules/Windows_Trojan_Njrat.yar	43
yara/rules/Windows_Trojan_NukeSped.yar	24
yara/rules/Windows_Trojan_Octopus.yar	19
yara/rules/Windows_Trojan_OnlyLogger.yar	45
yara/rules/Windows_Trojan_OskiStealer.yar	23
yara/rules/Windows_Trojan_P8Loader.yar	26
yara/rules/Windows_Trojan_Pandastealer.yar	23
yara/rules/Windows_Trojan_Parallax.yar	54
yara/rules/Windows_Trojan_PathLoader.yar	22
yara/rules/Windows_Trojan_Phoreal.yar	23
yara/rules/Windows_Trojan_PikaBot.yar	100
yara/rules/Windows_Trojan_Pingpull.yar	25
yara/rules/Windows_Trojan_PipeDance.yar	27
yara/rules/Windows_Trojan_PizzaPotion.yar	24
yara/rules/Windows_Trojan_PlugX.yar	71
yara/rules/Windows_Trojan_Pony.yar	25
yara/rules/Windows_Trojan_PoshC2.yar	26
yara/rules/Windows_Trojan_PowerSeal.yar	43
yara/rules/Windows_Trojan_PrivateLoader.yar	22
yara/rules/Windows_Trojan_ProtectS.yar	19
yara/rules/Windows_Trojan_Qbot.yar	132
yara/rules/Windows_Trojan_Quasarrat.yar	23
yara/rules/Windows_Trojan_Raccoon.yar	61
yara/rules/Windows_Trojan_RaspberryRobin.yar	19
yara/rules/Windows_Trojan_RedLineStealer.yar	200
yara/rules/Windows_Trojan_Remcos.yar	48
yara/rules/Windows_Trojan_Revcoderat.yar	22
yara/rules/Windows_Trojan_Revengerat.yar	22
yara/rules/Windows_Trojan_Rhadamanthys.yar	132
yara/rules/Windows_Trojan_RudeBird.yar	19
yara/rules/Windows_Trojan_STRRAT.yar	20
yara/rules/Windows_Trojan_SVCReady.yar	23
yara/rules/Windows_Trojan_SadBridge.yar	19
yara/rules/Windows_Trojan_ServHelper.yar	39
yara/rules/Windows_Trojan_ShadowPad.yar	47
yara/rules/Windows_Trojan_ShelbyC2.yar	23
yara/rules/Windows_Trojan_ShelbyLoader.yar	25
yara/rules/Windows_Trojan_SiestaGraph.yar	77
yara/rules/Windows_Trojan_Sliver.yar	59
yara/rules/Windows_Trojan_Smokeloader.yar	139
yara/rules/Windows_Trojan_SnakeKeylogger.yar	32
yara/rules/Windows_Trojan_SolarMarker.yar	41
yara/rules/Windows_Trojan_SomniRecord.yar	29
yara/rules/Windows_Trojan_SourShark.yar	40
yara/rules/Windows_Trojan_SpectralViper.yar	52
yara/rules/Windows_Trojan_Squirrelwaffle.yar	41
yara/rules/Windows_Trojan_Stealc.yar	68
yara/rules/Windows_Trojan_StormKitty.yar	24
yara/rules/Windows_Trojan_StumpZarus.yar	24
yara/rules/Windows_Trojan_SuddenIcon.yar	94
yara/rules/Windows_Trojan_SysJoker.yar	47
yara/rules/Windows_Trojan_SystemBC.yar	48
yara/rules/Windows_Trojan_Sythe.yar	22
yara/rules/Windows_Trojan_Tofsee.yar	20
yara/rules/Windows_Trojan_Trickbot.yar	937
yara/rules/Windows_Trojan_TwistedTinsel.yar	20
yara/rules/Windows_Trojan_Vidar.yar	110
yara/rules/Windows_Trojan_WarmCookie.yar	56
yara/rules/Windows_Trojan_WhisperGate.yar	24
yara/rules/Windows_Trojan_WikiLoader.yar	38
yara/rules/Windows_Trojan_WineLoader.yar	21
yara/rules/Windows_Trojan_XWorm.yar	68
yara/rules/Windows_Trojan_Xeno.yar	44
yara/rules/Windows_Trojan_Xpertrat.yar	21
yara/rules/Windows_Trojan_XtremeRAT.yar	28
yara/rules/Windows_Trojan_Zeus.yar	25
yara/rules/Windows_Trojan_Zloader.yar	76
yara/rules/Windows_Virus_Expiro.yar	20
yara/rules/Windows_Virus_Floxif.yar	19
yara/rules/Windows_Virus_Neshta.yar	20
yara/rules/Windows_VulnDriver_ATSZIO.yar	20
yara/rules/Windows_VulnDriver_Agent64.yar	25
yara/rules/Windows_VulnDriver_Amifldrv.yar	19
yara/rules/Windows_VulnDriver_ArPot.yar	21
yara/rules/Windows_VulnDriver_AsIo.yar	19
yara/rules/Windows_VulnDriver_Asrock.yar	60
yara/rules/Windows_VulnDriver_Atillk.yar	21
yara/rules/Windows_VulnDriver_BSMI.yar	21
yara/rules/Windows_VulnDriver_Biostar.yar	82
yara/rules/Windows_VulnDriver_CCProtect.yar	21
yara/rules/Windows_VulnDriver_Cpuz.yar	21
yara/rules/Windows_VulnDriver_DBUtil.yar	38
yara/rules/Windows_VulnDriver_DirectIo.yar	40
yara/rules/Windows_VulnDriver_EchoDrv.yar	19
yara/rules/Windows_VulnDriver_ElRawDisk.yar	19
yara/rules/Windows_VulnDriver_Elby.yar	21
yara/rules/Windows_VulnDriver_EneIo.yar	19
yara/rules/Windows_VulnDriver_FidDrv.yar	23
yara/rules/Windows_VulnDriver_Fidpci.yar	19
yara/rules/Windows_VulnDriver_Fileseclab.yar	24
yara/rules/Windows_VulnDriver_GDrv.yar	21
yara/rules/Windows_VulnDriver_GlckIo.yar	38
yara/rules/Windows_VulnDriver_Gvci.yar	19
yara/rules/Windows_VulnDriver_HpPortIo.yar	21
yara/rules/Windows_VulnDriver_HrSword.yar	20
yara/rules/Windows_VulnDriver_IoBitUnlocker.yar	25
yara/rules/Windows_VulnDriver_Iqvw.yar	21
yara/rules/Windows_VulnDriver_LLAccess.yar	21
yara/rules/Windows_VulnDriver_Lha.yar	20
yara/rules/Windows_VulnDriver_MarvinHW.yar	22
yara/rules/Windows_VulnDriver_Mhyprot.yar	22
yara/rules/Windows_VulnDriver_MicroStar.yar	21
yara/rules/Windows_VulnDriver_MsIo.yar	38
yara/rules/Windows_VulnDriver_MtcBsv.yar	21
yara/rules/Windows_VulnDriver_PowerProfiler.yar	21
yara/rules/Windows_VulnDriver_PowerTool.yar	20
yara/rules/Windows_VulnDriver_ProcExp.yar	21
yara/rules/Windows_VulnDriver_ProcId.yar	19
yara/rules/Windows_VulnDriver_RWEverything.yar	20
yara/rules/Windows_VulnDriver_RentDrv.yar	20
yara/rules/Windows_VulnDriver_RtCore.yar	20
yara/rules/Windows_VulnDriver_Rtkio.yar	80
yara/rules/Windows_VulnDriver_Ryzen.yar	42
yara/rules/Windows_VulnDriver_Sandra.yar	41
yara/rules/Windows_VulnDriver_Segwin.yar	21
yara/rules/Windows_VulnDriver_Speedfan.yar	20
yara/rules/Windows_VulnDriver_ThreatFire.yar	20
yara/rules/Windows_VulnDriver_TmComm.yar	21
yara/rules/Windows_VulnDriver_ToshibaBios.yar	21
yara/rules/Windows_VulnDriver_TrueSight.yar	20
yara/rules/Windows_VulnDriver_VBox.yar	41
yara/rules/Windows_VulnDriver_Viragt.yar	42
yara/rules/Windows_VulnDriver_Vmdrv.yar	21
yara/rules/Windows_VulnDriver_WinDivert.yar	19
yara/rules/Windows_VulnDriver_WinFlash.yar	19
yara/rules/Windows_VulnDriver_WinIo.yar	38
yara/rules/Windows_VulnDriver_XTier.yar	84
yara/rules/Windows_VulnDriver_Zam.yar	41
yara/rules/Windows_Wiper_CaddyWiper.yar	22
yara/rules/Windows_Wiper_DoubleZero.yar	23
yara/rules/Windows_Wiper_HermeticWiper.yar	25
yara/rules/Windows_Wiper_IsaacWiper.yar	24