Path	Lines of Code
00-query-submission-template.md	32
CODE_OF_CONDUCT.md	6
Campaigns/Abuse.ch Recent Threat Feed.md	94
Campaigns/Bazacall/Bazacall Emails.md	32
Campaigns/Bazacall/Cobalt Strike Lateral Movement.md	34
Campaigns/Bazacall/Dropping payload via certutil.md	33
Campaigns/Bazacall/Excel Macro Execution.md	32
Campaigns/Bazacall/Excel file download domain pattern.md	31
Campaigns/Bazacall/Malicious Excel Delivery.md	32
Campaigns/Bazacall/NTDS theft.md	35
Campaigns/Bazacall/Renamed Rclone Exfil.md	31
Campaigns/Bazacall/RunDLL Suspicious Network Connection.md	31
Campaigns/Bazarloader/Stolen Images Execution.md	31
Campaigns/Bazarloader/Zip-Doc - Creation of JPG Payload File.md	32
Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.md	31
Campaigns/Jupyter-Solarmaker/deimos-component-execution.md	35
Campaigns/Jupyter-Solarmaker/evasive-powershell-executions.md	34
Campaigns/Jupyter-Solarmaker/evasive-powershell-strings.md	31
Campaigns/Jupyter-Solarmaker/successive-tk-domain-calls.md	35
Campaigns/LemonDuck/LemonDuck-competition-killer.md	35
Campaigns/LemonDuck/LemonDuck-component-download-structure.md	32
Campaigns/LemonDuck/LemonDuck-component-names.md	32
Campaigns/LemonDuck/LemonDuck-control-structure.md	32
Campaigns/LemonDuck/LemonDuck-defender-exclusions.md	32
Campaigns/LemonDuck/LemonDuck-email-subjects.md	33
Campaigns/LemonDuck/LemonDuck-id-generation.md	32
Campaigns/LemonDuck/LemonDuck-registration-function.md	32
Campaigns/Log4J/Alerts related to Log4j vulnerability.md	44
Campaigns/Log4J/Devices with Log4j vulnerability alerts and additional other alert related context.md	55
Campaigns/Log4J/Suspicious JScript staging comment.md	32
Campaigns/Log4J/Suspicious PowerShell curl flags.md	32
Campaigns/Log4J/Suspicious process event creation from VMWare Horizon TomcatService.md	32
Campaigns/Macaw Ransomware/Disable Controlled Folders.md	32
Campaigns/Macaw Ransomware/Imminent Ransomware.md	56
Campaigns/Macaw Ransomware/Inhibit recovery by disabling tools and functionality.md	34
Campaigns/Macaw Ransomware/Mass account password change.md	33
Campaigns/Macaw Ransomware/PSExec Attrib commands.md	34
Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.md	32
Campaigns/Qakbot/Excel launching anomalous processes.md	32
Campaigns/Qakbot/General attempts to access local email store.md	33
Campaigns/Qakbot/Qakbot Craigslist Domains.md	31
Campaigns/Qakbot/Qakbot email theft.md	38
Campaigns/Qakbot/Qakbot reconnaissance activities.md	35
Campaigns/StrRAT malware/StrRAT-AV-Discovery.md	32
Campaigns/StrRAT malware/StrRAT-Email-Delivery.md	46
Campaigns/StrRAT malware/StrRAT-Malware-Persistence.md	32
Campaigns/Sysrv-botnet/app-armor-stopped.md	32
Campaigns/Sysrv-botnet/java-executing-cmd-to-run-powershell.md	33
Campaigns/Sysrv-botnet/kinsing-miner-download.md	32
Campaigns/Sysrv-botnet/oracle-webLogic-executing-powershell.md	32
Campaigns/Sysrv-botnet/rce-on-vulnerable-server.md	33
Campaigns/Sysrv-botnet/tomcat-8-executing-powershell.md	34
Campaigns/Threat actor Phosphorus masquerading as conference organizers.md	47
Campaigns/WastedLocker Downloader.md	32
Campaigns/ZLoader/Malicious bat file.md	32
Campaigns/ZLoader/Payload Delivery.md	32
Campaigns/ZLoader/Suspicious Registry Keys.md	32
Campaigns/c2-lookup-from-nonbrowser[Nobelium].md	64
Campaigns/c2-lookup-response[Nobelium].md	64
Campaigns/cobalt-strike-invoked-w-wmi.md	49
Campaigns/compromised-certificate[Nobelium].md	66
Campaigns/confluence-weblogic-targeted.md	85
Campaigns/cypherpunk-exclusive-commands.md	34
Campaigns/cypherpunk-remote-exec-w-psexesvc.md	35
Campaigns/detect-cyzfc-activity.md	56
Campaigns/fireeye-red-team-tools-CVEs [Nobelium].md	80
Campaigns/fireeye-red-team-tools-HASHs [Nobelium].md	372
Campaigns/known-affected-software-orion[Nobelium].md	60
Campaigns/launching-base64-powershell[Nobelium].md	66
Campaigns/launching-cmd-echo[Nobelium].md	60
Campaigns/oceanlotus-apt32-files.md	108
Campaigns/oceanlotus-apt32-network.md	43
Campaigns/possible-affected-software-orion[Nobelium].md	62
Campaigns/robbinhood-driver.md	33
Campaigns/robbinhood-evasion.md	35
Campaigns/snip3-aviation-targeting-emails.md	40
Campaigns/snip3-detectsanboxie-function-call.md	32
Campaigns/snip3-encoded-powershell-structure.md	34
Campaigns/snip3-malicious-network-connectivity.md	34
Campaigns/snip3-revengerat-c2-exfiltration.md	32
Collection/Anomaly of MailItemAccess by Other Users Mailbox [Nobelium].md	109
Collection/HostExportingMailboxAndRemovingExport[Solarigate].md	50
Collection/MailItemsAccessedTimeSeries[Solarigate].md	67
Command and Control/C2-NamedPipe.md	87
Command and Control/Connection to Rare DNS Hosts.md	49
Command and Control/DNSPattern [Nobelium].md	111
Command and Control/EncodedDomainURL [Nobelium].md	128
Command and Control/c2-bluekeep.md	40
Command and Control/check-for-shadowhammer-activity-download-domain.md	31
Command and Control/python-use-by-ransomware-macos.md	36
Command and Control/recon-with-rundll.md	37
Command and Control/reverse-shell-ransomware-macos.md	36
Credential Access/Active Directory Sensitive Group Modifications.md	80
Credential Access/cobalt-strike.md	55
Credential Access/doppelpaymer-procdump.md	41
Credential Access/identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike.md	51
Credential Access/lazagne.md	42
Credential Access/logon-attempts-after-malicious-email.md	37
Credential Access/procdump-lsass-credentials.md	47
Credential Access/wadhrama-credential-dump.md	37
Credential Access/wdigest-caching.md	40
Defense evasion/ADFSDomainTrustMods[Nobelium].md	82
Defense evasion/Discovering potentially tampered devices [Nobelium].md	89
Defense evasion/MailPermissionsAddedToApplication[Nobelium].md	88
Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].md	51
Defense evasion/UpdateStsRefreshToken[Solorigate].md	43
Defense evasion/alt-data-streams.md	43
Defense evasion/clear-system-logs.md	38
Defense evasion/deleting-data-w-cipher-tool.md	43
Defense evasion/doppelpaymer-stop-services.md	39
Defense evasion/hiding-java-class-file.md	32
Defense evasion/locate-files-possibly-signed-by-fraudulent-ecc-certificates.md	36
Defense evasion/qakbot-campaign-process-injection.md	40
Defense evasion/qakbot-campaign-self-deletion.md	42
Delivery/Gootkit-malware.md	41
Delivery/Qakbot Craigslist Domains.md	31
Delivery/detect-jscript-file-creation.md	33
Delivery/powercat-download.md	45
Discovery/Detect-Not-Active-AD-User-Accounts.md	35
Discovery/DetectTorRelayConnectivity.md	40
Discovery/MultipleLdaps.md	42
Discovery/MultipleSensitiveLdaps.md	60
Discovery/PasswordSearch.md	44
Discovery/Roasting.md	62
Discovery/SensitiveLdaps.md	39
Discovery/SuspiciousEnumerationUsingAdfind[Nobelium].md	76
Discovery/VulnComputers.md	43
Discovery/detect-nbtscan-activity.md	36
Discovery/detect-suspicious-commands-initiated-by-web-server-processes.md	48
Discovery/doppelpaymer.md	43
Discovery/qakbot-campaign-esentutl.md	40
Discovery/qakbot-campaign-outlook.md	39
Email Queries/Appspot Phishing Abuse.md	41
Email Queries/JNLP-File-Attachment.md	31
Email Queries/PhishingEmailUrlRedirector.md	40
Email Queries/referral-phish-emails.md	39
Execution/Base64 Detector and Decoder.md	36
Execution/Detect Encoded Powershell.md	32
Execution/Detect PowerShell v2 Downgrade.md	38
Execution/File Copy and Execution.md	44
Execution/Possible Ransomware Related Destruction Activity.md	48
Execution/Webserver Executing Suspicious Applications.md	36
Execution/check-for-shadowhammer-activity-implant.md	34
Execution/detect-anomalous-process-trees.md	103
Execution/detect-bluekeep-related-mining.md	39
Execution/detect-doublepulsar-execution.md	35
Execution/detect-exploitation-of-cve-2018-8653.md	36
Execution/detect-malcious-use-of-msiexec.md	48
Execution/detect-malicious-rar-extraction.md	34
Execution/detect-office-products-spawning-wmic.md	32
Execution/detect-suspicious-mshta-usage.md	34
Execution/detect-web-server-exploit-doublepulsar.md	83
Execution/exchange-iis-worker-dropping-webshell.md	54
Execution/jse-launched-by-word.md	35
Execution/launch-questd-w-osascript.md	37
Execution/locate-shlayer-payload-decryption-activity.md	36
Execution/locate-shlayer-payload-decrytion-activity.md	36
Execution/locate-surfbuyer-downloader-decoding-activity.md	33
Execution/office-apps-launching-wscipt.md	33
Execution/powershell-activity-after-email-from-malicious-sender.md	37
Execution/powershell-version-2.0-execution.md	35
Execution/python-based-attacks-on-macos.md	32
Execution/qakbot-campaign-suspicious-javascript.md	41
Execution/reverse-shell-nishang-base64.md	51
Execution/reverse-shell-nishang.md	46
Execution/sql-server-abuse.md	128
Execution/umworkerprocess-creating-webshell.md	50
Execution/umworkerprocess-unusual-subprocess-activity.md	47
Exfiltration/7-zip-prep-for-exfiltration.md	45
Exfiltration/Anomaly of MailItemAccess by GraphAPI [Nobelium].md	74
Exfiltration/Files copied to USB drives.md	49
Exfiltration/MailItemsAccessed Throttling [Nobelium].md	66
Exfiltration/OAuth Apps accessing user mail via GraphAPI [Nobelium].md	63
Exfiltration/OAuth Apps reading mail both via GraphAPI and directly [Nobelium].md	81
Exfiltration/OAuth Apps reading mail via GraphAPI anomaly [Nobelium].md	67
Exfiltration/Password Protected Archive Creation.md	38
Exfiltration/Possible File Copy to USB Drive.md	44
Exfiltration/detect-archive-exfiltration-to-competitor.md	42
Exfiltration/detect-exfiltration-after-termination.md	46
Exfiltration/detect-steganography-exfiltration.md	54
Exfiltration/exchange-powershell-snapin-loaded.md	46
Exploits/CVE-2021-36934 usage detection.md	51
Exploits/MosaicLoader.md	35
Exploits/Print Spooler RCE/Spoolsv Spawning Rundll32.md	31
Exploits/Print Spooler RCE/Suspicious DLLs in spool folder.md	32
Exploits/Print Spooler RCE/Suspicious Spoolsv Child Process.md	48
Exploits/Print Spooler RCE/Suspicious files in spool folder.md	29
Exploits/SolarWinds -CVE-2021-35211.md	37
Exploits/printnightmare-cve-2021-1675 usage detection.md	46
Exploits/winrar-cve-2018-20250-ace-files.md	37
Exploits/winrar-cve-2018-20250-file-creation.md	38
Fun/Make FolderPath Vogon Poetry.md	76
General queries/AppLocker Policy Design Assistant.md	67
General queries/Crashing Applications.md	39
General queries/Detect Azure RemoteIP.md	55
General queries/Device Count by DNS Suffix.md	37
General queries/Device uptime calculation.md	50
General queries/Endpoint Agent Health Status Report.md	49
General queries/Firewall Policy Design Assistant.md	88
General queries/MD AV Signature and Platform Version.md	44
General queries/Phish and Malware received by user vs total amount of email.md	35
General queries/insider-threat-detection-queries.md	333
Impact/backup-deletion.md	37
Impact/ransom-note-creation-macos.md	36
Impact/turn-off-system-restore.md	45
Impact/wadhrama-data-destruction.md	39
Initial access/Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md	39
Initial access/Non_intended_user_logon.md	25
Initial access/PhishingEmailUrlRedirector.md	31
Initial access/SuspiciousUrlClicked.md	62
Initial access/WhenZAPed.md	39
Initial access/detect-bluekeep-exploitation-attempts.md	36
Initial access/detect-mailsniper.md	67
Initial access/files-from-malicious-sender.md	34
Initial access/identify-potential-missed-phishing-email-campaigns.md	33
Initial access/jar-attachments.md	34
Lateral Movement/ImpersonatedUserFootprint.md	48
Lateral Movement/Network Logons with Local Accounts.md	34
Lateral Movement/detect-suspicious-rdp-connections.md	50
Lateral Movement/doppelpaymer-psexec.md	41
Lateral Movement/remote-file-creation-with-psexec.md	51
Notebooks/M365D APIs ep3.ipynb	206
Persistence/AddedCredentialFromContryXAndSigninFromCountryY.md	36
Persistence/CredentialsAddAfterAdminConsentedToApp[Nobelium].md	77
Persistence/NewAppOrServicePrincipalCredential[Nobelium].md	86
Persistence/Possible webshell drop.md	52
Persistence/detect-prifou-pua.md	40
Persistence/qakbot-campaign-registry-edit.md	41
Persistence/wadhrama-ransomware.md	55
Privilege escalation/Add uncommon credential type to application [Nobelium].md	68
Privilege escalation/SAM-Name-Changes-CVE-2021-42278.md	36
Privilege escalation/ServicePrincipalAddedToRole [Nobelium].md	65
Privilege escalation/cve-2019-0808-c2.md	37
Privilege escalation/cve-2019-0808-nufsys-file creation.md	40
Privilege escalation/cve-2019-0808-set-scheduled-task.md	39
Privilege escalation/dell-driver-vulnerability-2021.md	32
Privilege escalation/detect-cve-2019-0863-AngryPolarBearBug2-exploit.md	40
Privilege escalation/detect-cve-2019-0973-installerbypass-exploit.md	40
Privilege escalation/detect-cve-2019-1053-sandboxescape-exploit.md	39
Privilege escalation/detect-cve-2019-1069-bearlpe-exploit.md	46
Privilege escalation/detect-cve-2019-1129-byebear-exploit.md	41
Privilege escalation/locate-ALPC-local-privilege-elevation-exploit.md	35
Protection events/README.md	2
README.md	45
Ransomware/Backup deletion.md	33
Ransomware/Check for multiple signs of ransomware activity.md	102
Ransomware/Clearing of forensic evidence from event logs using wevtutil.md	34
Ransomware/DarkSide.md	30
Ransomware/Deletion of data on multiple drives using cipher exe.md	38
Ransomware/Discovery for highly-privileged accounts.md	36
Ransomware/Distribution from remote location.md	34
Ransomware/Fake Replies.md	36
Ransomware/File Backup Deletion Alerts.md	31
Ransomware/Gootkit File Delivery.md	38
Ransomware/HTA Startup Persistence.md	31
Ransomware/IcedId Delivery.md	31
Ransomware/IcedId attachments.md	37
Ransomware/IcedId email delivery.md	32
Ransomware/LaZagne Credential Theft.md	32
Ransomware/Potential ransomware activity related to Cobalt Strike.md	55
Ransomware/Qakbot discovery activies.md	38
Ransomware/Sticky Keys.md	30
Ransomware/Stopping multiple processes using taskkill.md	34
Ransomware/Stopping processes using net stop.md	34
Ransomware/Suspicious Bitlocker Encryption.md	36
Ransomware/Suspicious Google Doc Links.md	34
Ransomware/Suspicious Image Load related to IcedId.md	31
Ransomware/Turning off System Restore.md	38
Ransomware/Turning off services using sc exe.md	34
SECURITY.md	24
TVM/devices_with_vuln_and_users_received_payload.md	39
Troubleshooting/Connectivity Failures by Device.md	105
Troubleshooting/Connectivity Failures by Domain.md	43
Webcasts/README.md	10
Webcasts/TrackingTheAdversary/README.md	15