graph G {
    compound="true"
    rankdir="TB"
    bgcolor="white"
    fontname="Tahoma"

    node [
        fixedsize="false"
        fontname="Tahoma"
        color="white"
        fillcolor="deepskyblue2"
        fontcolor="black"
        shape="box"
        style="filled"
        penwidth="1.0"
    ]
    edge [
        fontname="Arial"
        color="#00688b"
        fontcolor="black"
        fontsize="12"
        arrowsize="0.5"
        penwidth="1.0"
    ]




    "[behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml]" -- "[behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml]" -- "[behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml]" -- "[behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/lateral_movement_suspicious_process_execution_via_network_logon.toml]" -- "[behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml]" -- "[behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml]" -- "[behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml]" -- "[behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_windows_core_module_change.toml]" -- "[behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml]" -- "[behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml]" -- "[behavior/rules/windows/command_and_control_potential_remote_desktop_protocol_tunneling.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_suspicious_remote_registry_modification.toml]" -- "[behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml]" [label=" 2 ", penwidth="2", color="#00688b70"];
    "[behavior/rules/windows/defense_evasion_process_memory_write_to_a_non_child_process.toml]" -- "[behavior/rules/linux/defense_evasion_linux_payload_decoded_and_decrypted_via_built_in_utility.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_suspicious_memory_page_protection.toml]" -- "[behavior/rules/macos/execution_execution_via_electron_child_process_node.js_module.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_potential_evasion_with_hardware_breakpoints.toml]" -- "[behavior/rules/windows/credential_access_failed_attempts_to_access_sensitive_files.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/linux/persistence_suspicious_echo_execution.toml]" -- "[behavior/rules/linux/persistence_hidden_payload_executed_via_scheduled_job.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/linux/persistence_suspicious_file_creation_via_web_server.toml]" -- "[behavior/rules/linux/execution_suspicious_execution_from_foomatic_rip_or_cupsd_parent.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_suspicious_windows_script_base64_encoding.toml]" -- "[behavior/rules/windows/credential_access_lsass_access_attempt_from_an_unsigned_executable.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/linux/persistence_suspicious_file_creation_via_web_server.toml]" -- "[behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_shellcode_execution_via_python_script.toml]" -- "[behavior/rules/windows/defense_evasion_com_to_.net_redirection_via_registry.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/credential_access_remote_access_to_sensitive_registry_keys.toml]" -- "[behavior/rules/windows/command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_potential_shellcode_injection_via_a_webshell.toml]" -- "[behavior/rules/windows/defense_evasion_amsi_or_wldp_bypass_via_memory_patching.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/linux/persistence_hidden_payload_executed_via_scheduled_job.toml]" -- "[behavior/rules/linux/command_and_control_file_downloaded_via_curl_or_wget_to_hidden_directory.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/credential_access_lsass_access_attempt_from_an_unsigned_executable.toml]" -- "[behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_suspicious_memory_protection_fluctuation.toml]" -- "[behavior/rules/linux/persistence_scheduled_job_executing_binary_in_unusual_location.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/impact_suspicious_file_rename_via_smb.toml]" -- "[behavior/rules/macos/defense_evasion_suspicious_openssl_execution_via_macos_application.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_suspicious_api_call_from_a_powershell_script.toml]" -- "[behavior/rules/linux/persistence_systemd_execution_followed_by_network_connection.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_potential_injection_via_module_stomping.toml]" -- "[behavior/rules/windows/defense_evasion_attempt_to_hide_files_via_registry_modification.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_suspicious_windows_script_base64_encoding.toml]" -- "[behavior/rules/windows/defense_evasion_virtualalloc_api_call_from_an_unsigned_dll.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/persistence_office_application_startup_via_template_file_modification.toml]" -- "[behavior/rules/linux/persistence_motd_execution_followed_by_egress_network_connection.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_execution_via_obfuscated_windows_script.toml]" -- "[behavior/rules/windows/defense_evasion_process_memory_write_to_a_non_child_process.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/persistence_dual_persistence_via_startup_and_scheduled_task.toml]" -- "[behavior/rules/windows/defense_evasion_windows_api_via_a_callback_function.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_unbacked_shellcode_from_unsigned_module.toml]" -- "[behavior/rules/windows/credential_access_lsass_access_attempt_via_ppl_bypass.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/persistence_registry_or_file_modification_from_suspicious_memory.toml]" -- "[behavior/rules/windows/execution_potential_pentesting_powershell_script.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml]" -- "[behavior/rules/windows/defense_evasion_com_to_.net_redirection_via_registry.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_process_creation_from_backed_rwx_memory.toml]" -- "[behavior/rules/linux/defense_evasion_shared_object_load_via_lolbin.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_suspicious_command_shell_execution_via_windows_run.toml]" -- "[behavior/rules/windows/defense_evasion_suspicious_remote_memory_allocation.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_suspicious_memory_protection_fluctuation.toml]" -- "[behavior/rules/linux/defense_evasion_timestomping_detected_via_touch.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_potential_remote_code_injection.toml]" -- "[behavior/rules/macos/collection_suspicious_image_creation_via_screencapture.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/execution_potential_pentesting_powershell_script.toml]" -- "[behavior/rules/windows/defense_evasion_parallel_ntdll_loaded_from_unbacked_memory.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_image_hollow_from_unusual_stack.toml]" -- "[behavior/rules/windows/credential_access_lsass_access_attempt_from_an_unsigned_executable.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_process_creation_with_unusual_mitigation.toml]" -- "[behavior/rules/windows/credential_access_security_account_manager_(sam)_registry_access.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_potential_ntdll_memory_unhooking.toml]" -- "[behavior/rules/linux/defense_evasion_shared_object_injection_via_process_environment_variable.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/command_and_control_ingress_tool_transfer_via_powershell.toml]" -- "[behavior/rules/linux/persistence_apt_package_manager_command_execution.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/credential_access_failed_attempts_to_access_sensitive_files.toml]" -- "[behavior/rules/windows/command_and_control_execution_from_suspicious_stack_trailing_bytes.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_remote_memory_write_to_trusted_target_process.toml]" -- "[behavior/rules/linux/impact_potential_coin_miner_execution_via_shell.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/lateral_movement_execution_of_a_file_dropped_from_smb_via_services.toml]" -- "[behavior/rules/linux/persistence_egress_network_connection_from_default_dpkg_directory.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_attempt_to_hide_files_via_registry_modification.toml]" -- "[behavior/rules/linux/persistence_file_downloaded_to_suspicious_location_by_web_server.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/command_and_control_execution_from_suspicious_stack_trailing_bytes.toml]" -- "[behavior/rules/macos/execution_temporary_binary_execution_via_osascript.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/privilege_escalation_interactive_logon_by_a_suspicious_process.toml]" -- "[behavior/rules/windows/credential_access_access_to_browser_credentials_from_suspicious_memory.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];
    "[behavior/rules/windows/defense_evasion_protected_process_light_bypass_via_dll_tampering.toml]" -- "[behavior/rules/windows/defense_evasion_potential_ntdll_memory_unhooking.toml]" [label=" 1 ", penwidth="1", color="#00688b5E"];

}