threatengine.sh Sigma export
backend: cortex_xdr (one .txt per rule, the rendered query)
rules: 763

files:
  rdp-file-created-by-uncommon-application.txt  []  .RDP File Created By Uncommon Application
  T1685_amsi-disabled-via-registry-modification.txt  [T1685]  AMSI Disabled via Registry Modification
  T1055_apt-privatelog-image-load-pattern.txt  [T1055]  APT PRIVATELOG Image Load Pattern
  T1059_abusable-dll-potential-sideloading-from-suspicious-location.txt  [T1059]  Abusable DLL Potential Sideloading From Suspicious Location
  add-debugger-entry-to-hangs-key-for-persistence.txt  []  Add Debugger Entry To Hangs Key For Persistence
  T1059.005_adwind-rat-jrat.txt  [T1059.005,T1059.007]  Adwind RAT / JRAT
  T1059.005_adwind-rat-jrat-file-artifact.txt  [T1059.005,T1059.007]  Adwind RAT / JRAT File Artifact
  T1685_antivirus-filter-driver-disallowed-on-dev-drive-registry.txt  [T1685]  Antivirus Filter Driver Disallowed On Dev Drive - Registry
  T1190_apache-spark-shell-command-injection-processcreation.txt  [T1190]  Apache Spark Shell Command Injection - ProcessCreation
  T1574.001_aruba-network-service-potential-dll-sideloading.txt  [T1574.001]  Aruba Network Service Potential DLL Sideloading
  T1059_atlassian-confluence-cve-2022-26134.txt  [T1059,T1190]  Atlassian Confluence CVE-2022-26134
  T1059.002_atomic-macos-stealer-filegrabber-activity.txt  [T1059.002]  Atomic MacOS Stealer - FileGrabber Activity
  T1543.004_atomic-macos-stealer-persistence-indicators.txt  [T1543.004,T1564.001]  Atomic MacOS Stealer - Persistence Indicators
  T1187_attempts-of-kerberos-coercion-via-dns-spn-spoofing.txt  [T1187,T1557.001]  Attempts of Kerberos Coercion Via DNS SPN Spoofing
  T1685.001_audit-policy-tampering-via-nt-resource-kit-auditpol.txt  [T1685.001]  Audit Policy Tampering Via NT Resource Kit Auditpol
  T1685.004_audit-rules-deleted-via-auditctl.txt  [T1685.004]  Audit Rules Deleted Via Auditctl
  T1105_axios-npm-compromise-file-creation-indicators-linux.txt  [T1105,T1195.002]  Axios NPM Compromise File Creation Indicators - Linux
  T1105_axios-npm-compromise-file-creation-indicators-macos.txt  [T1105,T1195.002]  Axios NPM Compromise File Creation Indicators - MacOS
  T1195.002_axios-npm-compromise-file-creation-indicators-windows.txt  [T1195.002]  Axios NPM Compromise File Creation Indicators - Windows
  T1059.004_axios-npm-compromise-indicators-linux.txt  [T1059.004,T1059.006,T1105,T1195.002]  Axios NPM Compromise Indicators - Linux
  T1059.002_axios-npm-compromise-indicators-macos.txt  [T1059.002,T1059.004,T1105,T1195.002]  Axios NPM Compromise Indicators - macOS
  T1021.003_baaupdate-exe-suspicious-dll-load.txt  [T1021.003,T1218]  BaaUpdate.exe Suspicious DLL Load
  T1218.011_bad-opsec-defaults-sacrificial-processes-with-improper-argum.txt  [T1218.011]  Bad Opsec Defaults Sacrificial Processes With Improper Arguments
  T1027_base64-encoded-powershell-command-detected.txt  [T1027,T1059.001,T1140]  Base64 Encoded PowerShell Command Detected
  base64-mz-header-in-commandline.txt  []  Base64 MZ Header In CommandLine
  T1027.001_binary-padding-macos.txt  [T1027.001]  Binary Padding - MacOS
  T1112_blackbyte-ransomware-registry.txt  [T1112]  Blackbyte Ransomware Registry
  T1059.001_bloodhound-collection-files.txt  [T1059.001,T1069.001,T1069.002,T1087.001,T1087.002,T1482]  BloodHound Collection Files
  T1047_blue-mockingbird.txt  [T1047,T1112]  Blue Mockingbird
  T1047_blue-mockingbird-registry.txt  [T1047,T1112]  Blue Mockingbird - Registry
  T1548.002_bypass-uac-using-delegateexecute.txt  [T1548.002]  Bypass UAC Using DelegateExecute
  T1547.010_bypass-uac-using-event-viewer.txt  [T1547.010]  Bypass UAC Using Event Viewer
  T1548.002_bypass-uac-using-silentcleanup-task.txt  [T1548.002]  Bypass UAC Using SilentCleanup Task
  T1548.002_bypass-uac-via-fodhelper-exe.txt  [T1548.002]  Bypass UAC via Fodhelper.exe
  T1218.003_cmstp-execution-process-creation.txt  [T1218.003]  CMSTP Execution Process Creation
  T1218.003_cmstp-execution-registry-event.txt  [T1218.003]  CMSTP Execution Registry Event
  T1218.003_cmstp-uac-bypass-via-com-object-access.txt  [T1218.003,T1548.002]  CMSTP UAC Bypass via COM Object Access
  coldsteel-rat-anonymous-user-process-execution.txt  []  COLDSTEEL RAT Anonymous User Process Execution
  T1546_com-hijack-via-sdclt.txt  [T1546,T1548]  COM Hijack via Sdclt
  T1546.015_com-object-hijacking-via-modification-of-default-system-clsi.txt  [T1546.015]  COM Object Hijacking Via Modification Of Default System CLSID Default Value
  T1112_cve-2020-1048-exploitation-attempt-suspicious-new-printer-po.txt  [T1112]  CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
  T1203_cve-2021-26858-exchange-exploitation.txt  [T1203]  CVE-2021-26858 Exchange Exploitation
  cve-2021-44077-poc-default-dropped-file.txt  []  CVE-2021-44077 POC Default Dropped File
  T1059.001_cve-2022-24527-microsoft-connected-cache-lpe.txt  [T1059.001]  CVE-2022-24527 Microsoft Connected Cache LPE
  T1059_cve-2023-22518-exploitation-attempt-suspicious-confluence-ch.txt  [T1059,T1190]  CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
  cve-2023-38331-exploitation-attempt-suspicious-double-extens.txt  []  CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
  T1190_cve-2024-50623-exploitation-attempt-cleo.txt  [T1190]  CVE-2024-50623 Exploitation Attempt - Cleo
  cab-file-extraction-via-wusa-exe-from-potentially-suspicious.txt  []  Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
  T1059_capsh-shell-invocation-linux.txt  [T1059]  Capsh Shell Invocation - Linux
  T1112_change-user-account-associated-with-the-fax-service.txt  [T1112]  Change User Account Associated with the FAX Service
  T1685.001_change-winevt-channel-access-permission-via-registry.txt  [T1685.001]  Change Winevt Channel Access Permission Via Registry
  T1112_change-the-fax-dll.txt  [T1112]  Change the Fax Dll
  T1018_chopper-webshell-process-pattern.txt  [T1018,T1033,T1087,T1505.003]  Chopper Webshell Process Pattern
  T1053.005_chromeloader-malware-execution.txt  [T1053.005,T1059.001,T1176]  ChromeLoader Malware Execution
  chromium-browser-headless-execution-to-mockbin-like-site.txt  []  Chromium Browser Headless Execution To Mockbin Like Site
  T1059.001_cmd-exe-missing-space-characters-execution-anomaly.txt  [T1059.001]  Cmd.EXE Missing Space Characters Execution Anomaly
  T1090_communication-to-ngrok-tunneling-service-linux.txt  [T1090,T1102,T1567,T1568.002,T1572]  Communication To Ngrok Tunneling Service - Linux
  T1090_communication-to-ngrok-tunneling-service-initiated.txt  [T1090,T1102,T1567,T1568.002,T1572]  Communication To Ngrok Tunneling Service Initiated
  T1190_commvault-qlogin-argument-injection-authentication-bypass-cv.txt  [T1190]  Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
  T1505.003_commvault-qoperation-path-traversal-webshell-drop-cve-2025-5.txt  [T1505.003]  Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
  T1059.003_conhost-exe-commandline-path-traversal.txt  [T1059.003]  Conhost.exe CommandLine Path Traversal
  T1560_conti-ntds-exfiltration-command.txt  [T1560]  Conti NTDS Exfiltration Command
  T1587.001_conti-volume-shadow-listing.txt  [T1587.001]  Conti Volume Shadow Listing
  T1490_copy-from-volumeshadowcopy-via-cmd-exe.txt  [T1490]  Copy From VolumeShadowCopy Via Cmd.EXE
  T1552.001_copy-passwd-or-shadow-from-tmp-path.txt  [T1552.001]  Copy Passwd Or Shadow From TMP Path
  T1547.009_creation-exe-for-service-with-unquoted-path.txt  [T1547.009]  Creation Exe for Service with Unquoted Path
  T1136.001_creation-of-a-local-hidden-user-account-by-registry.txt  [T1136.001]  Creation of a Local Hidden User Account by Registry
  T1003.001_cred-dump-tools-dropped-files.txt  [T1003.001,T1003.002,T1003.003,T1003.004,T1003.005]  Cred Dump Tools Dropped Files
  T1552.001_credentials-in-files.txt  [T1552.001]  Credentials In Files
  T1105_curl-download-and-execute-combination.txt  [T1105,T1218]  Curl Download And Execute Combination
  T1202_custom-file-open-handler-executes-powershell.txt  [T1202]  Custom File Open Handler Executes PowerShell
  T1112_dhcp-callout-dll-installation.txt  [T1112,T1574.001]  DHCP Callout DLL Installation
  T1547.008_dll-load-via-lsass.txt  [T1547.008]  DLL Load via LSASS
  T1218.003_dll-loaded-from-suspicious-location-via-cmspt-exe.txt  [T1218.003]  DLL Loaded From Suspicious Location Via Cmspt.EXE
  T1574.001_dll-search-order-hijackig-via-additional-space-in-path.txt  [T1574.001]  DLL Search Order Hijackig Via Additional Space in Path
  T1574.001_dll-sideloading-of-shellchromeapi-dll.txt  [T1574.001]  DLL Sideloading Of ShellChromeAPI.DLL
  T1574.001_dll-sideloading-by-vmware-xfer-utility.txt  [T1574.001]  DLL Sideloading by VMware Xfer Utility
  T1048.001_dns-exfiltration-and-tunneling-tools-execution.txt  [T1048.001,T1071.004,T1132.001]  DNS Exfiltration and Tunneling Tools Execution
  T1552.004_dpapi-backup-keys-and-certificate-export-activity-ioc.txt  [T1552.004,T1555]  DPAPI Backup Keys And Certificate Export Activity IOC
  T1059.001_dsinternals-suspicious-powershell-cmdlets.txt  [T1059.001]  DSInternals Suspicious PowerShell Cmdlets
  T1136.001_darkgate-user-created-via-net-exe.txt  [T1136.001]  DarkGate - User Created Via Net.EXE
  T1547.010_default-rdp-port-changed-to-non-standard-port.txt  [T1547.010]  Default RDP Port Changed to Non Standard Port
  T1489_delete-all-scheduled-tasks.txt  [T1489]  Delete All Scheduled Tasks
  T1490_deletion-of-volume-shadow-copies-via-wmi-with-powershell.txt  [T1490]  Deletion of Volume Shadow Copies via WMI with PowerShell
  T1218_devtoolslauncher-exe-executes-specified-binary.txt  [T1218]  Devtoolslauncher.exe Executes Specified Binary
  T1202_diagnostic-library-sdiageng-dll-loaded-by-msdt-exe.txt  [T1202]  Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  T1574.001_diamond-sleet-apt-dll-sideloading-indicators.txt  [T1574.001]  Diamond Sleet APT DLL Sideloading Indicators
  diamond-sleet-apt-file-creation-indicators.txt  []  Diamond Sleet APT File Creation Indicators
  diamond-sleet-apt-process-activity-indicators.txt  []  Diamond Sleet APT Process Activity Indicators
  T1685_diamond-sleet-apt-scheduled-task-creation-registry.txt  [T1685]  Diamond Sleet APT Scheduled Task Creation - Registry
  T1556_directory-service-restore-mode-dsrm-registry-value-tampering.txt  [T1556]  Directory Service Restore Mode(DSRM) Registry Value Tampering
  disable-macro-runtime-scan-scope.txt  []  Disable Macro Runtime Scan Scope
  T1685_disable-pua-protection-on-windows-defender.txt  [T1685]  Disable PUA Protection on Windows Defender
  T1685_disable-windows-defender-functionalities-via-registry-keys.txt  [T1685]  Disable Windows Defender Functionalities Via Registry Keys
  T1685_disabled-ie-security-features.txt  [T1685]  Disabled IE Security Features
  T1685_disabled-volume-snapshots.txt  [T1685]  Disabled Volume Snapshots
  T1685_disabled-windows-defender-eventlog.txt  [T1685]  Disabled Windows Defender Eventlog
  T1055_dotnet-clr-dll-loaded-by-scripting-applications.txt  [T1055]  DotNet CLR DLL Loaded By Scripting Applications
  driver-added-to-disallowed-images-in-hvci-registry.txt  []  Driver Added To Disallowed Images In HVCI - Registry
  T1059.012_esxi-admin-permission-assigned-to-account-via-esxcli.txt  [T1059.012,T1098]  ESXi Admin Permission Assigned To Account Via ESXCLI
  T1112_etw-logging-disabled-in-net-processes-sysmon-registry.txt  [T1112,T1685]  ETW Logging Disabled In .NET Processes - Sysmon Registry
  T1685_etw-logging-tamper-in-net-processes-via-commandline.txt  [T1685]  ETW Logging Tamper In .NET Processes Via CommandLine
  T1070_etw-trace-evasion-activity.txt  [T1070,T1685]  ETW Trace Evasion Activity
  email-exifiltration-via-powershell.txt  []  Email Exifiltration Via Powershell
  T1059.006_emotet-loader-execution-via-lnk-file.txt  [T1059.006]  Emotet Loader Execution Via .LNK File
  T1112_enable-lm-hash-storage.txt  [T1112]  Enable LM Hash Storage
  T1112_enable-lm-hash-storage-proccreation.txt  [T1112]  Enable LM Hash Storage - ProcCreation
  T1041_equation-group-c2-communication.txt  [T1041]  Equation Group C2 Communication
  T1003.002_esentutl-volume-shadow-copy-service-keys.txt  [T1003.002]  Esentutl Volume Shadow Copy Service Keys
  T1070_exchange-powershell-cmdlet-history-deleted.txt  [T1070]  Exchange PowerShell Cmdlet History Deleted
  T1218_execute-pcwrun-exe-to-leverage-follina.txt  [T1218]  Execute Pcwrun.EXE To Leverage Follina
  T1218_execution-dll-of-choice-using-wab-exe.txt  [T1218]  Execution DLL of Choice Using WAB.EXE
  T1059.001_execution-of-powershell-script-in-public-folder.txt  [T1059.001]  Execution of Powershell Script in Public Folder
  T1218_execution-via-workfolders-exe.txt  [T1218]  Execution via WorkFolders.exe
  T1218_execution-via-stordiag-exe.txt  [T1218]  Execution via stordiag.exe
  T1190_exploitation-activity-of-cve-2025-59287-wsus-suspicious-chil.txt  [T1190,T1203]  Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
  T1210_exploitation-attempt-of-cve-2020-1472-execution-of-zerologon.txt  [T1210]  Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
  T1059.001_exploited-cve-2020-10189-zoho-manageengine.txt  [T1059.001,T1059.003,T1190]  Exploited CVE-2020-10189 Zoho ManageEngine
  T1059.003_exploiting-setupcomplete-cmd-cve-2019-1378.txt  [T1059.003,T1068,T1574]  Exploiting SetupComplete.cmd CVE-2019-1378
  T1548.002_explorer-nouaccheck-flag.txt  [T1548.002]  Explorer NOUACCHECK Flag
  T1059.001_fakeupdates-socgholish-activity.txt  [T1059.001]  FakeUpdates/SocGholish Activity
  T1574.001_fax-service-dll-search-order-hijack.txt  [T1574.001]  Fax Service DLL Search Order Hijack
  T1547.001_file-creation-in-suspicious-directory-by-msdt-exe.txt  [T1547.001]  File Creation In Suspicious Directory By Msdt.EXE
  file-creation-related-to-rat-clients.txt  []  File Creation Related To RAT Clients
  T1105_file-download-with-headless-browser.txt  [T1105,T1564.003]  File Download with Headless Browser
  T1135_file-explorer-folder-opened-using-explorer-folder-shortcut-v.txt  [T1135]  File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
  T1204.002_file-with-uncommon-extension-created-by-an-office-applicatio.txt  [T1204.002]  File With Uncommon Extension Created By An Office Application
  T1204.004_filefix-command-evidence-in-typedpaths.txt  [T1204.004]  FileFix - Command Evidence in TypedPaths
  T1218.011_fireball-archer-install.txt  [T1218.011]  Fireball Archer Install
  T1547.001_forest-blizzard-apt-custom-protocol-handler-creation.txt  [T1547.001]  Forest Blizzard APT - Custom Protocol Handler Creation
  T1547.001_forest-blizzard-apt-custom-protocol-handler-dll-registry-set.txt  [T1547.001]  Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
  T1685.001_forest-blizzard-apt-file-creation-activity.txt  [T1685.001]  Forest Blizzard APT - File Creation Activity
  T1036_forfiles-exe-child-process-masquerading.txt  [T1036]  Forfiles.EXE Child Process Masquerading
  T1587.001_formbook-process-creation.txt  [T1587.001]  Formbook Process Creation
  T1486_funklocker-ransomware-file-creation.txt  [T1486]  FunkLocker Ransomware File Creation
  T1204.002_gac-dll-loaded-via-office-applications.txt  [T1204.002]  GAC DLL Loaded Via Office Applications
  goofy-guineapig-backdoor-ioc.txt  []  Goofy Guineapig Backdoor IOC
  T1046_grixba-malware-reconnaissance-activity.txt  [T1046,T1595.001]  Grixba Malware Reconnaissance Activity
  T1047_html-help-hh-exe-suspicious-child-process.txt  [T1047,T1059.001,T1059.003,T1059.005,T1059.007,T1218,T1218.001,T1218.010,T1218.011,T1566,T1566.001]  HTML Help HH.EXE Suspicious Child Process
  T1557.001_hacktool-adcspwn-execution.txt  [T1557.001]  HackTool - ADCSPwn Execution
  T1059.001_hacktool-covenant-powershell-launcher.txt  [T1059.001,T1564.003]  HackTool - Covenant PowerShell Launcher
  T1047_hacktool-crackmapexec-execution.txt  [T1047,T1053,T1059.001,T1059.003,T1110,T1201]  HackTool - CrackMapExec Execution
  T1047_hacktool-crackmapexec-execution-patterns.txt  [T1047,T1053,T1059.001,T1059.003]  HackTool - CrackMapExec Execution Patterns
  T1003.001_hacktool-crackmapexec-file-indicators.txt  [T1003.001]  HackTool - CrackMapExec File Indicators
  T1003.001_hacktool-crackmapexec-process-patterns.txt  [T1003.001]  HackTool - CrackMapExec Process Patterns
  T1053.005_hacktool-default-powersploit-empire-scheduled-task-creation.txt  [T1053.005,T1059.001]  HackTool - Default PowerSploit/Empire Scheduled Task Creation
  T1059.001_hacktool-empire-powershell-launch-parameters.txt  [T1059.001]  HackTool - Empire PowerShell Launch Parameters
  T1110.002_hacktool-hashcat-password-cracker-execution.txt  [T1110.002]  HackTool - Hashcat Password Cracker Execution
  T1055.012_hacktool-hollowreaper-execution.txt  [T1055.012]  HackTool - HollowReaper Execution
  T1090_hacktool-htran-natbypass-execution.txt  [T1090]  HackTool - Htran/NATBypass Execution
  T1110_hacktool-hydra-password-bruteforce-execution.txt  [T1110,T1110.001]  HackTool - Hydra Password Bruteforce Execution
  T1003.001_hacktool-impacket-file-indicators.txt  [T1003.001]  HackTool - Impacket File Indicators
  T1557.001_hacktool-impacket-tools-execution.txt  [T1557.001]  HackTool - Impacket Tools Execution
  T1003.001_hacktool-mimikatz-execution.txt  [T1003.001,T1003.002,T1003.004,T1003.005,T1003.006]  HackTool - Mimikatz Execution
  hacktool-nppspy-hacktool-usage.txt  []  HackTool - NPPSpy Hacktool Usage
  T1018_hacktool-netexec-execution.txt  [T1018,T1021]  HackTool - NetExec Execution
  T1021.002_hacktool-netexec-file-indicators.txt  [T1021.002,T1059.005]  HackTool - NetExec File Indicators
  T1021.003_hacktool-potential-impacket-lateral-movement-activity.txt  [T1021.003,T1047]  HackTool - Potential Impacket Lateral Movement Activity
  T1003_hacktool-potential-remote-credential-dumping-activity-via-cr.txt  [T1003]  HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
  T1574.001_hacktool-powerup-write-hijack-dll.txt  [T1574.001]  HackTool - Powerup Write Hijack DLL
  T1003.002_hacktool-pypykatz-credentials-dumping-activity.txt  [T1003.002]  HackTool - Pypykatz Credentials Dumping Activity
  T1003.002_hacktool-quarks-pwdump-execution.txt  [T1003.002]  HackTool - Quarks PwDump Execution
  T1059.003_hacktool-redmimicry-winnti-playbook-execution.txt  [T1059.003,T1106,T1218.011]  HackTool - RedMimicry Winnti Playbook Execution
  T1219.002_hacktool-remotekrbrelay-smb-relay-secrets-dump-module-indica.txt  [T1219.002]  HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
  T1087_hacktool-soaphound-execution.txt  [T1087]  HackTool - SOAPHound Execution
  T1003.001_hacktool-safetykatz-dump-indicator.txt  [T1003.001]  HackTool - SafetyKatz Dump Indicator
  T1053_hacktool-sharpersist-execution.txt  [T1053]  HackTool - SharPersist Execution
  T1090.001_hacktool-sharpchisel-execution.txt  [T1090.001]  HackTool - SharpChisel Execution
  T1210_hacktool-sharpwsus-wsuspendu-execution.txt  [T1210]  HackTool - SharpWSUS/WSUSpendu Execution
  T1552.001_hacktool-typical-hivenightmare-sam-file-export.txt  [T1552.001]  HackTool - Typical HiveNightmare SAM File Export
  T1046_hacktool-winpwn-execution.txt  [T1046,T1082,T1106,T1518,T1548.002,T1552.001,T1555,T1555.003]  HackTool - WinPwn Execution
  hacktool-wmiexec-default-powershell-command.txt  []  HackTool - Wmiexec Default Powershell Command
  T1003.001_hacktool-xordump-execution.txt  [T1003.001,T1036]  HackTool - XORDump Execution
  T1003_hacktool-execution-pe-metadata.txt  [T1003,T1588.002]  Hacktool Execution - PE Metadata
  T1021.001_hermetic-wiper-tg-process-patterns.txt  [T1021.001]  Hermetic Wiper TG Process Patterns
  T1685_hide-schedule-task-via-index-value-tamper.txt  [T1685]  Hide Schedule Task Via Index Value Tamper
  T1564.002_hiding-user-account-via-specialaccounts-registry-key.txt  [T1564.002]  Hiding User Account Via SpecialAccounts Registry Key
  T1219.002_hijack-legit-rdp-session-to-move-laterally.txt  [T1219.002]  Hijack Legit RDP Session to Move Laterally
  T1565.001_history-file-deletion.txt  [T1565.001]  History File Deletion
  T1685_hypervisor-enforced-paging-translation-disabled.txt  [T1685]  Hypervisor Enforced Paging Translation Disabled
  ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-pr.txt  []  IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
  ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-pr_2.txt  []  IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
  T1566.001_iso-file-created-within-temp-folders.txt  [T1566.001]  ISO File Created Within Temp Folders
  T1218.011_icedid-malware-suspicious-single-digit-dll-execution-via-run.txt  [T1218.011]  IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
  imagingdevices-unusual-parent-child-processes.txt  []  ImagingDevices Unusual Parent/Child Processes
  T1055_injected-browser-process-spawning-rundll32-guloader-activity.txt  [T1055]  Injected Browser Process Spawning Rundll32 - GuLoader Activity
  T1059_inline-python-execution-spawn-shell-via-os-system-library.txt  [T1059]  Inline Python Execution - Spawn Shell Via OS System Library
  T1053.002_interactive-at-job.txt  [T1053.002]  Interactive AT Job
  T1027_invoke-obfuscation-clip-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation CLIP+ Launcher
  T1027_invoke-obfuscation-obfuscated-iex-invocation.txt  [T1027,T1059.001]  Invoke-Obfuscation Obfuscated IEX Invocation
  T1027_invoke-obfuscation-stdin-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation STDIN+ Launcher
  T1027_invoke-obfuscation-var-launcher.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR+ Launcher
  T1027_invoke-obfuscation-var-launcher-obfuscation.txt  [T1027,T1059.001]  Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  T1027_invoke-obfuscation-via-stdin.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Stdin
  T1027_invoke-obfuscation-via-use-clip.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use Clip
  T1027_invoke-obfuscation-via-use-mshta.txt  [T1027,T1059.001]  Invoke-Obfuscation Via Use MSHTA
  T1059.002_jxa-in-memory-execution-via-osascript.txt  [T1059.002,T1059.007]  JXA In-memory Execution Via OSAScript
  T1059.001_kalambur-backdoor-curl-tor-socks-proxy-execution.txt  [T1059.001,T1071.001,T1090,T1573]  Kalambur Backdoor Curl TOR SOCKS Proxy Execution
  T1547.001_kapeka-backdoor-autorun-persistence.txt  [T1547.001]  Kapeka Backdoor Autorun Persistence
  T1204.002_kapeka-backdoor-loaded-via-rundll32-exe.txt  [T1204.002,T1218.011]  Kapeka Backdoor Loaded Via Rundll32.EXE
  T1685_kaspersky-endpoint-security-stopped-via-commandline-linux.txt  [T1685]  Kaspersky Endpoint Security Stopped Via CommandLine - Linux
  T1129_katz-stealer-dll-loaded.txt  [T1129]  Katz Stealer DLL Loaded
  T1127_kavremover-dropped-binary-lolbin-usage.txt  [T1127]  Kavremover Dropped Binary LOLBIN Usage
  T1003.001_lsass-dump-keyword-in-commandline.txt  [T1003.001]  LSASS Dump Keyword In CommandLine
  T1003.001_lsass-process-dump-artefact-in-crashdumps-folder.txt  [T1003.001]  LSASS Process Dump Artefact In CrashDumps Folder
  T1003.001_lsass-process-memory-dump-creation-via-taskmgr-exe.txt  [T1003.001]  LSASS Process Memory Dump Creation Via Taskmgr.EXE
  T1003.001_lsass-process-memory-dump-files.txt  [T1003.001]  LSASS Process Memory Dump Files
  lace-tempest-cobalt-strike-download.txt  []  Lace Tempest Cobalt Strike Download
  lace-tempest-file-indicators.txt  []  Lace Tempest File Indicators
  T1574.001_lazarus-apt-dll-sideloading-activity.txt  [T1574.001]  Lazarus APT DLL Sideloading Activity
  T1036.005_lazarus-system-binary-masquerading.txt  [T1036.005]  Lazarus System Binary Masquerading
  T1218_legitimate-application-dropped-archive.txt  [T1218]  Legitimate Application Dropped Archive
  T1218_legitimate-application-dropped-executable.txt  [T1218]  Legitimate Application Dropped Executable
  T1218_legitimate-application-dropped-script.txt  [T1218]  Legitimate Application Dropped Script
  T1105_legitimate-application-writing-files-in-uncommon-location.txt  [T1105,T1218]  Legitimate Application Writing Files In Uncommon Location
  T1496_linux-crypto-mining-indicators.txt  [T1496]  Linux Crypto Mining Indicators
  T1496_linux-crypto-mining-pool-connections.txt  [T1496]  Linux Crypto Mining Pool Connections
  T1587_linux-hacktool-execution.txt  [T1587]  Linux HackTool Execution
  T1552.001_linux-recon-indicators.txt  [T1552.001,T1592.004]  Linux Recon Indicators
  T1059_linux-suspicious-child-process-from-node-js-react2shell.txt  [T1059,T1190]  Linux Suspicious Child Process from Node.js - React2Shell
  T1505.003_linux-webshell-indicators.txt  [T1505.003]  Linux Webshell Indicators
  T1195.002_litellm-teampcp-supply-chain-attack-indicators.txt  [T1195.002,T1543.002,T1560.001]  LiteLLM / TeamPCP Supply Chain Attack Indicators
  livekd-driver-creation-by-uncommon-process.txt  []  LiveKD Driver Creation By Uncommon Process
  livekd-kernel-memory-dump-file-created.txt  []  LiveKD Kernel Memory Dump File Created
  T1105_lolbas-onedrivestandaloneupdater-exe-proxy-download.txt  [T1105]  Lolbas OneDriveStandaloneUpdater.exe Proxy Download
  T1003.001_lsass-full-dump-request-via-dumptype-registry-settings.txt  [T1003.001]  Lsass Full Dump Request Via DumpType Registry Settings
  T1059.001_mercury-apt-activity.txt  [T1059.001]  MERCURY APT Activity
  T1021.003_mmc-spawning-windows-shell.txt  [T1021.003]  MMC Spawning Windows Shell
  T1021.003_mmc20-lateral-movement.txt  [T1021.003]  MMC20 Lateral Movement
  T1218_msdt-execution-via-answer-file.txt  [T1218]  MSDT Execution Via Answer File
  T1112_macro-enabled-in-a-potentially-suspicious-document.txt  [T1112]  Macro Enabled In A Potentially Suspicious Document
  T1574.001_malicious-dll-file-dropped-in-the-teams-or-onedrive-folder.txt  [T1574.001]  Malicious DLL File Dropped in the Teams or OneDrive Folder
  T1059.001_malicious-powershell-commandlets-processcreation.txt  [T1059.001,T1069,T1069.001,T1069.002,T1087,T1087.001,T1087.002,T1482]  Malicious PowerShell Commandlets - ProcessCreation
  T1059.001_malicious-powershell-scripts-filecreation.txt  [T1059.001]  Malicious PowerShell Scripts - FileCreation
  T1653_mask-system-power-settings-via-systemctl.txt  [T1653]  Mask System Power Settings Via Systemctl
  T1055.001_mavinject-inject-dll-into-running-process.txt  [T1055.001,T1218.013]  Mavinject Inject DLL Into Running Process
  T1574.001_microsoft-office-dll-sideload.txt  [T1574.001]  Microsoft Office DLL Sideload
  T1685_microsoft-office-protected-view-disabled.txt  [T1685]  Microsoft Office Protected View Disabled
  mint-sandstorm-log4j-wstomcat-process-execution.txt  []  Mint Sandstorm - Log4J Wstomcat Process Execution
  mshtml-dll-runhtmlapplication-suspicious-usage.txt  []  Mshtml.DLL RunHTMLApplication Suspicious Usage
  T1587.001_mustang-panda-dropper.txt  [T1587.001]  Mustang Panda Dropper
  T1112_net-ngenassemblyusagelog-registry-key-tamper.txt  [T1112]  NET NGenAssemblyUsageLog Registry Key Tamper
  T1003.003_ntds-exfiltration-filename-patterns.txt  [T1003.003]  NTDS Exfiltration Filename Patterns
  T1003.003_ntds-dit-creation-by-uncommon-parent-process.txt  [T1003.003]  NTDS.DIT Creation By Uncommon Parent Process
  T1003.002_ntds-dit-creation-by-uncommon-process.txt  [T1003.002,T1003.003]  NTDS.DIT Creation By Uncommon Process
  T1112_netntlm-downgrade-attack-registry.txt  [T1112,T1685]  NetNTLM Downgrade Attack - Registry
  T1496_network-communication-with-crypto-mining-pool.txt  [T1496]  Network Communication With Crypto Mining Pool
  T1203_network-connection-initiated-by-eqnedt32-exe.txt  [T1203]  Network Connection Initiated By Eqnedt32.EXE
  T1055_network-connection-initiated-via-notepad-exe.txt  [T1055]  Network Connection Initiated Via Notepad.EXE
  T1082_network-reconnaissance-activity.txt  [T1082,T1087]  Network Reconnaissance Activity
  T1546.003_new-activescripteventconsumer-created-via-wmic-exe.txt  [T1546.003]  New ActiveScriptEventConsumer Created Via Wmic.EXE
  T1112_new-dns-serverlevelplugindll-installed.txt  [T1112,T1574.001]  New DNS ServerLevelPluginDll Installed
  T1112_new-dns-serverlevelplugindll-installed-via-dnscmd-exe.txt  [T1112,T1574.001]  New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
  new-file-association-using-exefile.txt  []  New File Association Using Exefile
  T1546.007_new-netsh-helper-dll-registered-from-a-suspicious-location.txt  [T1546.007]  New Netsh Helper DLL Registered From A Suspicious Location
  T1547.001_new-run-key-pointing-to-suspicious-folder.txt  [T1547.001]  New RUN Key Pointing to Suspicious Folder
  T1547.003_new-timeproviders-registered-with-uncommon-dll-name.txt  [T1547.003]  New TimeProviders Registered With Uncommon DLL Name
  T1068_non-standard-nsswitch-conf-creation-potential-cve-2025-32463.txt  [T1068]  Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
  T1112_non-privileged-usage-of-reg-or-powershell.txt  [T1112]  Non-privileged Usage of Reg or Powershell
  ntdllpipe-like-activity-execution.txt  []  NtdllPipe Like Activity Execution
  T1068_omigod-scx-runasprovider-executescript.txt  [T1068,T1190,T1203]  OMIGOD SCX RunAsProvider ExecuteScript
  T1068_omigod-scx-runasprovider-executeshellcommand.txt  [T1068,T1190,T1203]  OMIGOD SCX RunAsProvider ExecuteShellCommand
  T1059.002_osacompile-run-only-execution.txt  [T1059.002]  OSACompile Run-Only Execution
  T1059.001_obfuscated-powershell-oneliner-execution.txt  [T1059.001,T1685]  Obfuscated PowerShell OneLiner Execution
  T1195_octopus-scanner-malware.txt  [T1195,T1195.001]  Octopus Scanner Malware
  T1566.001_office-macro-file-creation-from-suspicious-process.txt  [T1566.001]  Office Macro File Creation From Suspicious Process
  T1112_office-macros-warning-disabled.txt  [T1112]  Office Macros Warning Disabled
  T1218.001_onenote-exe-execution-of-malicious-embedded-scripts.txt  [T1218.001]  OneNote.EXE Execution of Malicious Embedded Scripts
  onyx-sleet-apt-file-creation-indicators.txt  []  Onyx Sleet APT File Creation Indicators
  T1218_openwith-exe-executes-specified-binary.txt  [T1218]  OpenWith.exe Executes Specified Binary
  T1012_operation-wocao-activity.txt  [T1012,T1027,T1036.004,T1053.005,T1059.001]  Operation Wocao Activity
  T1059_outlook-enableunsafeclientmailrules-setting-enabled.txt  [T1059,T1202]  Outlook EnableUnsafeClientMailRules Setting Enabled
  T1112_outlook-enableunsafeclientmailrules-setting-enabled-registry.txt  [T1112]  Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
  T1008_outlook-macro-execution-without-warning-setting-enabled.txt  [T1008,T1137,T1546]  Outlook Macro Execution Without Warning Setting Enabled
  T1059_pcre-net-package-image-load.txt  [T1059]  PCRE.NET Package Image Load
  T1059_pcre-net-package-temp-files.txt  [T1059]  PCRE.NET Package Temp Files
  pdf-file-created-by-regedit-exe.txt  []  PDF File Created By RegEdit.EXE
  T1136.002_psexec-remote-execution-file-artefact.txt  [T1136.002,T1543.003,T1570]  PSEXEC Remote Execution File Artefact
  T1018_pua-adfind-suspicious-execution.txt  [T1018,T1069.002,T1087.002,T1482]  PUA - AdFind Suspicious Execution
  T1134.002_pua-advancedrun-suspicious-execution.txt  [T1134.002]  PUA - AdvancedRun Suspicious Execution
  T1090.001_pua-chisel-tunneling-tool-execution.txt  [T1090.001]  PUA - Chisel Tunneling Tool Execution
  T1685_pua-cleanwipe-execution.txt  [T1685]  PUA - CleanWipe Execution
  T1003.003_pua-dit-snapshot-viewer.txt  [T1003.003]  PUA - DIT Snapshot Viewer
  T1095_pua-netcat-suspicious-execution.txt  [T1095]  PUA - Netcat Suspicious Execution
  T1572_pua-ngrok-execution.txt  [T1572]  PUA - Ngrok Execution
  T1569.002_pua-nircmd-execution-as-local-system.txt  [T1569.002]  PUA - NirCmd Execution As LOCAL SYSTEM
  T1048_pua-restic-backup-tool-execution.txt  [T1048,T1567.002]  PUA - Restic Backup Tool Execution
  T1569.002_pua-runxcmd-execution.txt  [T1569.002]  PUA - RunXCmd Execution
  T1087.002_pua-suspicious-activedirectory-enumeration-via-adfind-exe.txt  [T1087.002]  PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
  papercut-mf-ng-exploitation-related-indicators.txt  []  PaperCut MF/NG Exploitation Related Indicators
  papercut-mf-ng-potential-exploitation.txt  []  PaperCut MF/NG Potential Exploitation
  peach-sandstorm-apt-process-activity-indicators.txt  []  Peach Sandstorm APT Process Activity Indicators
  persistence-via-hhctrl-ocx.txt  []  Persistence Via Hhctrl.ocx
  T1566_phishing-pattern-iso-in-archive.txt  [T1566]  Phishing Pattern ISO in Archive
  pikabot-fake-dll-extension-execution-via-rundll32-exe.txt  []  Pikabot Fake DLL Extension Execution Via Rundll32.EXE
  T1027_ping-hex-ip.txt  [T1027,T1140]  Ping Hex IP
  T1574.001_pingback-backdoor-activity.txt  [T1574.001]  Pingback Backdoor Activity
  T1574.001_pingback-backdoor-dll-loading-activity.txt  [T1574.001]  Pingback Backdoor DLL Loading Activity
  T1574.001_pingback-backdoor-file-indicators.txt  [T1574.001]  Pingback Backdoor File Indicators
  T1574.011_possible-privilege-escalation-via-weak-service-permissions.txt  [T1574.011]  Possible Privilege Escalation via Weak Service Permissions
  T1053_potential-actinium-persistence-activity.txt  [T1053,T1053.005]  Potential ACTINIUM Persistence Activity
  T1685_potential-amsi-bypass-via-net-reflection.txt  [T1685]  Potential AMSI Bypass Via .NET Reflection
  T1685_potential-amsi-com-server-hijacking.txt  [T1685]  Potential AMSI COM Server Hijacking
  potential-apt-fin7-reconnaissance-powertrash-related-activit.txt  []  Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
  potential-apt-fin7-related-powershell-script-created.txt  []  Potential APT FIN7 Related PowerShell Script Created
  potential-apt-mustang-panda-activity-against-australian-gov.txt  []  Potential APT Mustang Panda Activity Against Australian Gov
  T1059.005_potential-apt10-cloud-hopper-activity.txt  [T1059.005]  Potential APT10 Cloud Hopper Activity
  T1127_potential-arbitrary-code-execution-via-node-exe.txt  [T1127]  Potential Arbitrary Code Execution Via Node.EXE
  T1059_potential-atlassian-confluence-cve-2021-26084-exploitation-a.txt  [T1059,T1190]  Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
  potential-attachment-manager-settings-associations-tamper.txt  []  Potential Attachment Manager Settings Associations Tamper
  potential-attachment-manager-settings-attachments-tamper.txt  []  Potential Attachment Manager Settings Attachments Tamper
  T1685.001_potential-autologger-sessions-tampering.txt  [T1685.001]  Potential AutoLogger Sessions Tampering
  T1012_potential-baby-shark-malware-activity.txt  [T1012,T1059.001,T1059.003,T1218.005]  Potential Baby Shark Malware Activity
  T1140_potential-base64-decoded-from-images.txt  [T1140]  Potential Base64 Decoded From Images
  T1059.001_potential-blackbyte-ransomware-activity.txt  [T1059.001,T1140,T1485,T1498]  Potential BlackByte Ransomware Activity
  potential-coldsteel-persistence-service-dll-creation.txt  []  Potential COLDSTEEL Persistence Service DLL Creation
  potential-coldsteel-persistence-service-dll-load.txt  []  Potential COLDSTEEL Persistence Service DLL Load
  potential-coldsteel-rat-file-indicators.txt  []  Potential COLDSTEEL RAT File Indicators
  potential-coldsteel-rat-windows-user-creation.txt  []  Potential COLDSTEEL RAT Windows User Creation
  T1219.002_potential-csharp-streamer-rat-loading-net-executable-image.txt  [T1219.002]  Potential CSharp Streamer RAT Loading .NET Executable Image
  T1203_potential-cve-2021-26857-exploitation-attempt.txt  [T1203]  Potential CVE-2021-26857 Exploitation Attempt
  T1059_potential-cve-2021-40444-exploitation-attempt.txt  [T1059]  Potential CVE-2021-40444 Exploitation Attempt
  T1190_potential-cve-2021-44228-exploitation-attempt-vmware-horizon.txt  [T1190]  Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
  T1190_potential-cve-2022-26809-exploitation-attempt.txt  [T1190,T1569.002]  Potential CVE-2022-26809 Exploitation Attempt
  potential-cve-2023-21554-queuejumper-exploitation.txt  []  Potential CVE-2023-21554 QueueJumper Exploitation
  T1505.001_potential-cve-2023-27363-exploitation-hta-file-creation-by-f.txt  [T1505.001]  Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
  potential-cve-2023-36874-exploitation-fake-wermgr-exe-creati.txt  []  Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
  T1187_potential-cve-2026-33829-exploitation-windows-snipping-tool.txt  [T1187]  Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
  T1204.001_potential-clickfix-execution-pattern-registry.txt  [T1204.001]  Potential ClickFix Execution Pattern - Registry
  T1059_potential-cobaltstrike-process-patterns.txt  [T1059]  Potential CobaltStrike Process Patterns
  T1021.002_potential-cobaltstrike-service-installations-registry.txt  [T1021.002,T1543.003,T1569.002]  Potential CobaltStrike Service Installations - Registry
  potential-compromised-3cxdesktopapp-beaconing-activity-netco.txt  []  Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
  T1218_potential-compromised-3cxdesktopapp-update-activity.txt  [T1218]  Potential Compromised 3CXDesktopApp Update Activity
  T1005_potential-conti-ransomware-database-dumping-activity-via-sql.txt  [T1005]  Potential Conti Ransomware Database Dumping Activity Via SQLCmd
  T1003_potential-credential-dumping-attempt-using-new-networkprovid.txt  [T1003]  Potential Credential Dumping Attempt Using New NetworkProvider - CLI
  T1496_potential-crypto-mining-activity.txt  [T1496]  Potential Crypto Mining Activity
  T1574.001_potential-dll-sideloading-via-vmware-xfer.txt  [T1574.001]  Potential DLL Sideloading Via VMware Xfer
  T1574.001_potential-dll-sideloading-via-comctl32-dll.txt  [T1574.001]  Potential DLL Sideloading Via comctl32.dll
  T1059.001_potential-data-exfiltration-activity-via-commandline-tools.txt  [T1059.001]  Potential Data Exfiltration Activity Via CommandLine Tools
  T1185_potential-data-stealing-via-chromium-headless-debugging.txt  [T1185,T1564.003]  Potential Data Stealing Via Chromium Headless Debugging
  potential-defense-evasion-activity-via-emoji-usage-in-comman.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
  potential-defense-evasion-activity-via-emoji-usage-in-comman_2.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
  potential-defense-evasion-activity-via-emoji-usage-in-comman_3.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
  potential-defense-evasion-activity-via-emoji-usage-in-comman_4.txt  []  Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
  T1036.002_potential-defense-evasion-via-right-to-left-override.txt  [T1036.002]  Potential Defense Evasion Via Right-to-Left Override
  T1218_potential-devil-bait-malware-reconnaissance.txt  [T1218]  Potential Devil Bait Malware Reconnaissance
  potential-devil-bait-related-indicator.txt  []  Potential Devil Bait Related Indicator
  T1574.001_potential-eacore-dll-sideloading.txt  [T1574.001]  Potential EACore.DLL Sideloading
  T1574.001_potential-edputil-dll-sideloading.txt  [T1574.001]  Potential Edputil.DLL Sideloading
  T1027_potential-emotet-activity.txt  [T1027,T1059.001]  Potential Emotet Activity
  T1218.010_potential-empiremonkey-activity.txt  [T1218.010]  Potential EmpireMonkey Activity
  T1685.001_potential-eventlog-file-location-tampering.txt  [T1685.001]  Potential EventLog File Location Tampering
  potential-exploitation-attempt-from-office-application.txt  []  Potential Exploitation Attempt From Office Application
  T1190_potential-exploitation-attempt-of-undocumented-windowsserver.txt  [T1190]  Potential Exploitation Attempt Of Undocumented WindowsServer RCE
  potential-exploitation-of-cve-2024-3094-suspicious-ssh-child.txt  []  Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
  T1059.001_potential-exploitation-of-crushftp-rce-vulnerability-cve-202.txt  [T1059.001,T1059.003,T1068,T1190]  Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
  T1059.001_potential-exploitation-of-goanywhere-mft-vulnerability.txt  [T1059.001,T1133,T1190]  Potential Exploitation of GoAnywhere MFT Vulnerability
  T1105_potential-exploitation-of-rce-vulnerability-cve-2025-33053.txt  [T1105,T1218]  Potential Exploitation of RCE Vulnerability CVE-2025-33053
  T1105_potential-exploitation-of-rce-vulnerability-cve-2025-33053-i.txt  [T1105,T1218]  Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
  T1036.002_potential-file-extension-spoofing-using-right-to-left-overri.txt  [T1036.002]  Potential File Extension Spoofing Using Right-to-Left Override
  T1082_potential-gobrat-file-discovery-via-grep.txt  [T1082]  Potential GobRAT File Discovery Via Grep
  potential-goofy-guineapig-backdoor-activity.txt  []  Potential Goofy Guineapig Backdoor Activity
  potential-goofy-guineapig-goolgeupdate-process-anomaly.txt  []  Potential Goofy Guineapig GoolgeUpdate Process Anomaly
  T1574.001_potential-iviewers-dll-sideloading.txt  [T1574.001]  Potential Iviewers.DLL Sideloading
  T1547.001_potential-kamikakabot-activity-winlogon-shell-persistence.txt  [T1547.001]  Potential KamiKakaBot Activity - Winlogon Shell Persistence
  potential-kapeka-decrypted-backdoor-indicator.txt  []  Potential Kapeka Decrypted Backdoor Indicator
  T1685_potential-ke3chang-tidepool-malware-activity.txt  [T1685]  Potential Ke3chang/TidePool Malware Activity
  T1003.001_potential-lsass-process-dump-via-procdump.txt  [T1003.001,T1036]  Potential LSASS Process Dump Via Procdump
  T1218.005_potential-lethalhta-technique-execution.txt  [T1218.005]  Potential LethalHTA Technique Execution
  T1563.002_potential-mstsc-shadowing-activity.txt  [T1563.002]  Potential MSTSC Shadowing Activity
  T1134.001_potential-meterpreter-cobaltstrike-activity.txt  [T1134.001,T1134.002]  Potential Meterpreter/CobaltStrike Activity
  T1574.001_potential-mpclient-dll-sideloading.txt  [T1574.001]  Potential Mpclient.DLL Sideloading
  T1574.001_potential-mpclient-dll-sideloading-via-defender-binaries.txt  [T1574.001]  Potential Mpclient.DLL Sideloading Via Defender Binaries
  potential-muddywater-apt-activity.txt  []  Potential MuddyWater APT Activity
  T1112_potential-netwire-rat-activity-registry.txt  [T1112]  Potential NetWire RAT Activity - Registry
  T1059_potential-netcat-reverse-shell-execution.txt  [T1059]  Potential Netcat Reverse Shell Execution
  T1574.008_potential-notepad-cve-2025-49144-exploitation.txt  [T1574.008]  Potential Notepad++ CVE-2025-49144 Exploitation
  potential-php-reverse-shell.txt  []  Potential PHP Reverse Shell
  T1546.015_potential-psfactorybuffer-com-hijacking.txt  [T1546.015]  Potential PSFactoryBuffer COM Hijacking
  potential-perl-reverse-shell-execution.txt  []  Potential Perl Reverse Shell Execution
  T1546.012_potential-persistence-via-app-paths-default-property.txt  [T1546.012]  Potential Persistence Via App Paths Default Property
  potential-persistence-via-autodialdll.txt  []  Potential Persistence Via AutodialDLL
  potential-persistence-via-chm-helper-dll.txt  []  Potential Persistence Via CHM Helper DLL
  potential-persistence-via-dllpathoverride.txt  []  Potential Persistence Via DLLPathOverride
  T1137.006_potential-persistence-via-excel-add-in-registry.txt  [T1137.006]  Potential Persistence Via Excel Add-in - Registry
  T1546.012_potential-persistence-via-globalflags.txt  [T1546.012]  Potential Persistence Via GlobalFlags
  potential-persistence-via-lsa-extensions.txt  []  Potential Persistence Via LSA Extensions
  T1037.001_potential-persistence-via-logon-scripts-commandline.txt  [T1037.001]  Potential Persistence Via Logon Scripts - CommandLine
  T1137.006_potential-persistence-via-microsoft-office-add-in.txt  [T1137.006]  Potential Persistence Via Microsoft Office Add-In
  T1137_potential-persistence-via-microsoft-office-startup-folder.txt  [T1137]  Potential Persistence Via Microsoft Office Startup Folder
  potential-persistence-via-mpnotify.txt  []  Potential Persistence Via Mpnotify
  potential-persistence-via-mycomputer-registry-keys.txt  []  Potential Persistence Via MyComputer Registry Keys
  T1137.003_potential-persistence-via-outlook-form.txt  [T1137.003]  Potential Persistence Via Outlook Form
  T1112_potential-persistence-via-outlook-home-page.txt  [T1112]  Potential Persistence Via Outlook Home Page
  T1008_potential-persistence-via-outlook-loadmacroprovideronboot-se.txt  [T1008,T1137,T1546]  Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
  T1112_potential-persistence-via-outlook-today-page.txt  [T1112]  Potential Persistence Via Outlook Today Page
  T1543.001_potential-persistence-via-plistbuddy.txt  [T1543.001,T1543.004]  Potential Persistence Via PlistBuddy
  T1053.005_potential-persistence-via-powershell-search-order-hijacking.txt  [T1053.005,T1059.001]  Potential Persistence Via Powershell Search Order Hijacking - Task
  T1546.011_potential-persistence-via-shim-database-in-uncommon-location.txt  [T1546.011]  Potential Persistence Via Shim Database In Uncommon Location
  potential-persistence-via-typedpaths.txt  []  Potential Persistence Via TypedPaths
  T1055.012_potential-pikabot-hollowing-activity.txt  [T1055.012]  Potential Pikabot Hollowing Activity
  T1574.001_potential-plugx-activity.txt  [T1574.001]  Potential PlugX Activity
  potential-powershell-execution-policy-tampering-proccreation.txt  []  Potential PowerShell Execution Policy Tampering - ProcCreation
  T1027_potential-powershell-obfuscation-via-wchar-char.txt  [T1027,T1059.001]  Potential PowerShell Obfuscation Via WCHAR/CHAR
  T1574_potential-printnightmare-exploitation-attempt.txt  [T1574]  Potential PrintNightmare Exploitation Attempt
  potential-privilege-escalation-attempt-via-exe-local-techniq.txt  []  Potential Privilege Escalation Attempt Via .Exe.Local Technique
  T1587.001_potential-privilege-escalation-to-local-system.txt  [T1587.001]  Potential Privilege Escalation To LOCAL SYSTEM
  T1574.011_potential-privilege-escalation-via-service-permissions-weakn.txt  [T1574.011]  Potential Privilege Escalation via Service Permissions Weakness
  T1055_potential-process-injection-via-msra-exe.txt  [T1055]  Potential Process Injection Via Msra.EXE
  T1218_potential-provisioning-registry-key-abuse-for-binary-proxy-e.txt  [T1218]  Potential Provisioning Registry Key Abuse For Binary Proxy Execution
  T1218_potential-provisioning-registry-key-abuse-for-binary-proxy-e_2.txt  [T1218]  Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
  T1587.001_potential-psexec-remote-execution.txt  [T1587.001]  Potential PsExec Remote Execution
  T1112_potential-qakbot-registry-activity.txt  [T1112]  Potential Qakbot Registry Activity
  potential-qakbot-rundll32-execution.txt  []  Potential Qakbot Rundll32 Execution
  T1572_potential-rdp-tunneling-via-plink.txt  [T1572]  Potential RDP Tunneling Via Plink
  T1572_potential-rdp-tunneling-via-ssh.txt  [T1572]  Potential RDP Tunneling Via SSH
  T1491.001_potential-ransomware-activity-using-legalnotice-message.txt  [T1491.001]  Potential Ransomware Activity Using LegalNotice Message
  potential-raspberry-robin-dot-ending-file.txt  []  Potential Raspberry Robin Dot Ending File
  T1574.001_potential-rcdll-dll-sideloading.txt  [T1574.001]  Potential Rcdll.DLL Sideloading
  T1053.005_potential-registry-persistence-attempt-via-windows-telemetry.txt  [T1053.005]  Potential Registry Persistence Attempt Via Windows Telemetry
  potential-renamed-rundll32-execution.txt  []  Potential Renamed Rundll32 Execution
  T1547_potential-ripzip-attack-on-startup-folder.txt  [T1547]  Potential RipZip Attack on Startup Folder
  T1574.001_potential-rjvplatform-dll-sideloading-from-non-default-locat.txt  [T1574.001]  Potential RjvPlatform.DLL Sideloading From Non-Default Location
  T1547.001_potential-ryuk-ransomware-activity.txt  [T1547.001]  Potential Ryuk Ransomware Activity
  T1003.002_potential-sam-database-dump.txt  [T1003.002]  Potential SAM Database Dump
  potential-snake-malware-installation-cli-arguments-indicator.txt  []  Potential SNAKE Malware Installation CLI Arguments Indicator
  potential-snake-malware-persistence-service-execution.txt  []  Potential SNAKE Malware Persistence Service Execution
  T1190_potential-sharepoint-toolshell-cve-2025-53770-exploitation-i.txt  [T1190]  Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
  potential-signing-bypass-via-windows-developer-features-regi.txt  []  Potential Signing Bypass Via Windows Developer Features - Registry
  T1574.001_potential-smadhook-dll-sideloading.txt  [T1574.001]  Potential SmadHook.DLL Sideloading
  T1204_potential-snatch-ransomware-activity.txt  [T1204]  Potential Snatch Ransomware Activity
  T1547.001_potential-startup-shortcut-persistence-via-powershell-exe.txt  [T1547.001]  Potential Startup Shortcut Persistence Via PowerShell.EXE
  T1218_potential-suspicious-child-process-of-3cxdesktopapp.txt  [T1218]  Potential Suspicious Child Process Of 3CXDesktopApp
  T1003.001_potential-sysinternals-procdump-evasion.txt  [T1003.001,T1036]  Potential SysInternals ProcDump Evasion
  T1574.001_potential-system-dll-sideloading-from-non-system-locations.txt  [T1574.001]  Potential System DLL Sideloading From Non System Locations
  T1685_potential-tampering-with-security-products-via-wmic.txt  [T1685]  Potential Tampering With Security Products Via WMIC
  T1112_potential-ursnif-malware-activity-registry.txt  [T1112]  Potential Ursnif Malware Activity - Registry
  T1574.001_potential-waveedit-dll-sideloading.txt  [T1574.001]  Potential Waveedit.DLL Sideloading
  T1036.003_potential-werfault-reflectdebugger-registry-value-abuse.txt  [T1036.003]  Potential WerFault ReflectDebugger Registry Value Abuse
  T1106_potential-winapi-calls-via-commandline.txt  [T1106]  Potential WinAPI Calls Via CommandLine
  T1027_potential-winnti-dropper-activity.txt  [T1027]  Potential Winnti Dropper Activity
  potential-wizardupdate-malware-infection.txt  []  Potential WizardUpdate Malware Infection
  T1574.001_potential-appverifui-dll-sideloading.txt  [T1574.001]  Potential appverifUI.DLL Sideloading
  T1127_potentially-suspicious-asp-net-compilation-via-aspnetcompile.txt  [T1127]  Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
  potentially-suspicious-call-to-win32-nteventlogfile-class.txt  []  Potentially Suspicious Call To Win32_NTEventlogFile Class
  T1218.010_potentially-suspicious-child-process-of-regsvr32.txt  [T1218.010]  Potentially Suspicious Child Process Of Regsvr32
  T1059.001_potentially-suspicious-command-executed-via-run-dialog-box-r.txt  [T1059.001]  Potentially Suspicious Command Executed Via Run Dialog Box - Registry
  T1548.002_potentially-suspicious-event-viewer-child-process.txt  [T1548.002]  Potentially Suspicious Event Viewer Child Process
  T1059_potentially-suspicious-execution-from-parent-process-in-publ.txt  [T1059,T1564]  Potentially Suspicious Execution From Parent Process In Public Folder
  T1003_potentially-suspicious-odbc-driver-registered.txt  [T1003]  Potentially Suspicious ODBC Driver Registered
  T1059.001_powershell-base64-encoded-frombase64string-cmdlet.txt  [T1059.001,T1140]  PowerShell Base64 Encoded FromBase64String Cmdlet
  T1059.001_powershell-base64-encoded-iex-cmdlet.txt  [T1059.001]  PowerShell Base64 Encoded IEX Cmdlet
  T1027_powershell-base64-encoded-reflective-assembly-load.txt  [T1027,T1059.001,T1620]  PowerShell Base64 Encoded Reflective Assembly Load
  T1685_powershell-defender-threat-severity-default-action-set-to-al.txt  [T1685]  PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
  T1059_powershell-download-and-execution-cradles.txt  [T1059]  PowerShell Download and Execution Cradles
  T1552.004_powershell-get-process-lsass.txt  [T1552.004]  PowerShell Get-Process LSASS
  T1112_powershell-logging-disabled-via-registry-key-tampering.txt  [T1112,T1564.001]  PowerShell Logging Disabled Via Registry Key Tampering
  T1003.002_powershell-sam-copy.txt  [T1003.002]  PowerShell SAM Copy
  T1569.002_powershell-as-a-service-in-registry.txt  [T1569.002]  PowerShell as a Service in Registry
  T1685_powershell-base64-encoded-mppreference-cmdlet.txt  [T1685]  Powershell Base64 Encoded MpPreference Cmdlet
  T1685_powershell-defender-disable-scan-feature.txt  [T1685]  Powershell Defender Disable Scan Feature
  T1027.009_powershell-token-obfuscation-process-creation.txt  [T1027.009]  Powershell Token Obfuscation - Process Creation
  T1070.004_prefetch-file-deleted.txt  [T1070.004]  Prefetch File Deleted
  T1105_printbrm-zip-creation-of-extraction.txt  [T1105,T1564.004]  PrintBrm ZIP Creation of Extraction
  T1036_process-execution-from-a-potentially-suspicious-folder.txt  [T1036]  Process Execution From A Potentially Suspicious Folder
  T1068_process-explorer-driver-creation-by-non-sysinternals-binary.txt  [T1068]  Process Explorer Driver Creation By Non-Sysinternals Binary
  T1036.003_ps-exe-renamed-sysinternals-tool.txt  [T1036.003]  Ps.exe Renamed SysInternals Tool
  psexec-service-child-process-execution-as-local-system.txt  []  PsExec Service Child Process Execution as LOCAL SYSTEM
  T1587.001_psexec-paexec-escalation-to-local-system.txt  [T1587.001]  PsExec/PAExec Escalation to LOCAL SYSTEM
  T1685_python-function-execution-security-warning-disabled-in-excel.txt  [T1685]  Python Function Execution Security Warning Disabled In Excel
  T1685_python-function-execution-security-warning-disabled-in-excel_2.txt  [T1685]  Python Function Execution Security Warning Disabled In Excel - Registry
  T1027.010_python-one-liners-with-base64-decoding-linux.txt  [T1027.010,T1059.006]  Python One-Liners with Base64 Decoding - Linux
  python-reverse-shell-execution-via-pty-and-socket-modules.txt  []  Python Reverse Shell Execution Via PTY And Socket Modules
  T1059_python-spawning-pretty-tty-on-windows.txt  [T1059]  Python Spawning Pretty TTY on Windows
  qakbot-regsvr32-calc-pattern.txt  []  Qakbot Regsvr32 Calc Pattern
  T1112_rdp-sensitive-settings-changed.txt  [T1112]  RDP Sensitive Settings Changed
  T1685_raccine-uninstall.txt  [T1685]  Raccine Uninstall
  T1560.001_rar-usage-with-password-and-compression-level.txt  [T1560.001]  Rar Usage with Password and Compression Level
  T1059.001_raspberry-robin-initial-execution-from-external-drive.txt  [T1059.001]  Raspberry Robin Initial Execution From External Drive
  T1059.001_raspberry-robin-subsequent-execution-of-commands.txt  [T1059.001]  Raspberry Robin Subsequent Execution of Commands
  T1112_redmimicry-winnti-playbook-registry-manipulation.txt  [T1112]  RedMimicry Winnti Playbook Registry Manipulation
  T1548_regedit-as-trusted-installer.txt  [T1548]  Regedit as Trusted Installer
  T1490_registry-disable-system-restore.txt  [T1490]  Registry Disable System Restore
  T1112_registry-modification-for-oci-dll-redirection.txt  [T1112,T1574.001]  Registry Modification for OCI DLL Redirection
  T1547.001_registry-persistence-via-explorer-run-key.txt  [T1547.001]  Registry Persistence via Explorer Run Key
  T1564.001_registry-persistence-via-service-in-safe-mode.txt  [T1564.001]  Registry Persistence via Service in Safe Mode
  T1219.002_remote-access-tool-anydesk-silent-installation.txt  [T1219.002]  Remote Access Tool - AnyDesk Silent Installation
  T1190_remote-access-tool-screenconnect-server-web-shell-execution.txt  [T1190]  Remote Access Tool - ScreenConnect Server Web Shell Execution
  T1220_remote-xsl-execution-via-msxsl-exe.txt  [T1220]  Remote XSL Execution Via Msxsl.EXE
  T1218_remotefxvgpudisablement-abuse-via-atomictestharnesses.txt  [T1218]  RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
  T1685_removal-of-amsi-provider-registry-keys.txt  [T1685]  Removal Of AMSI Provider Registry Keys
  renamed-vscode-code-tunnel-execution-file-indicator.txt  []  Renamed VsCode Code Tunnel Execution - File Indicator
  T1112_restrictedadminmode-registry-value-tampering.txt  [T1112]  RestrictedAdminMode Registry Value Tampering
  T1112_restrictedadminmode-registry-value-tampering-proccreation.txt  [T1112]  RestrictedAdminMode Registry Value Tampering - ProcCreation
  T1553.004_root-certificate-installed-from-susp-locations.txt  [T1553.004]  Root Certificate Installed From Susp Locations
  T1564.004_run-powershell-script-from-ads.txt  [T1564.004]  Run PowerShell Script from ADS
  T1059_run-powershell-script-from-redirected-input-stream.txt  [T1059]  Run PowerShell Script from Redirected Input Stream
  T1218.011_rundll32-spawning-explorer.txt  [T1218.011]  RunDLL32 Spawning Explorer
  T1070.003_runmru-registry-key-deletion-registry.txt  [T1070.003]  RunMRU Registry Key Deletion - Registry
  T1202_rundll32-execution-without-commandline-parameters.txt  [T1202]  Rundll32 Execution Without CommandLine Parameters
  T1021.002_rundll32-execution-without-parameters.txt  [T1021.002,T1569.002,T1570]  Rundll32 Execution Without Parameters
  T1133_running-chrome-vpn-extensions-via-the-registry-2-vpn-extensi.txt  [T1133]  Running Chrome VPN Extensions via the Registry 2 VPN Extension
  snake-malware-covert-store-registry-key.txt  []  SNAKE Malware Covert Store Registry Key
  snake-malware-werfault-persistence-file-creation.txt  []  SNAKE Malware WerFault Persistence File Creation
  T1546_sourgum-actor-behaviours.txt  [T1546,T1546.015]  SOURGUM Actor Behaviours
  T1005_sqlite-chromium-profile-data-db-access.txt  [T1005,T1539,T1555.003]  SQLite Chromium Profile Data DB Access
  T1005_sqlite-firefox-profile-data-db-access.txt  [T1005,T1539]  SQLite Firefox Profile Data DB Access
  T1053.005_schtasks-creation-or-modification-with-system-privileges.txt  [T1053.005]  Schtasks Creation Or Modification With SYSTEM Privileges
  screenconnect-slashandgrab-exploitation-indicators.txt  []  ScreenConnect - SlashAndGrab Exploitation Indicators
  T1047_script-event-consumer-spawning-process.txt  [T1047]  Script Event Consumer Spawning Process
  T1005_script-interpreter-spawning-credential-scanner-linux.txt  [T1005,T1059.004,T1552]  Script Interpreter Spawning Credential Scanner - Linux
  T1005_script-interpreter-spawning-credential-scanner-windows.txt  [T1005,T1059.007,T1552]  Script Interpreter Spawning Credential Scanner - Windows
  T1036_sdiagnhost-calling-suspicious-child-process.txt  [T1036,T1218]  Sdiagnhost Calling Suspicious Child Process
  T1112_security-event-logging-disabled-via-minint-registry-key-regi.txt  [T1112,T1685.001]  Security Event Logging Disabled via MiniNt Registry Key - Registry Set
  T1685_security-service-disabled-via-reg-exe.txt  [T1685]  Security Service Disabled Via Reg.EXE
  T1490_sensitive-file-access-via-volume-shadow-copy-backup.txt  [T1490]  Sensitive File Access Via Volume Shadow Copy Backup
  T1053.005_serpent-backdoor-payload-execution-via-scheduled-task.txt  [T1053.005,T1059.006]  Serpent Backdoor Payload Execution Via Scheduled Task
  T1112_service-binary-in-suspicious-folder.txt  [T1112]  Service Binary in Suspicious Folder
  T1195.002_shai-hulud-2-0-malicious-npm-package-installation.txt  [T1195.002]  Shai-Hulud 2.0 Malicious NPM Package Installation
  T1195.002_shai-hulud-2-0-malicious-npm-package-installation-linux.txt  [T1195.002]  Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
  T1195.002_shai-hulud-malicious-bun-execution.txt  [T1195.002,T1203]  Shai-Hulud Malicious Bun Execution
  T1195.002_shai-hulud-malicious-bun-execution-linux.txt  [T1195.002,T1203]  Shai-Hulud Malicious Bun Execution - Linux
  T1119_shai-hulud-malicious-github-workflow-creation.txt  [T1119,T1552.001]  Shai-Hulud Malicious GitHub Workflow Creation
  T1059_shai-hulud-malware-indicators-linux.txt  [T1059]  Shai-Hulud Malware Indicators - Linux
  T1059_shai-hulud-malware-indicators-windows.txt  [T1059]  Shai-Hulud Malware Indicators - Windows
  T1005_shai-hulud-npm-package-malicious-exfiltration-via-curl.txt  [T1005,T1041]  Shai-Hulud NPM Package Malicious Exfiltration via Curl
  T1083_shell-execution-gcc-linux.txt  [T1083]  Shell Execution GCC  - Linux
  shell-execution-of-process-located-in-tmp-directory.txt  []  Shell Execution Of Process Located In Tmp Directory
  T1083_shell-execution-via-find-linux.txt  [T1083]  Shell Execution via Find - Linux
  T1083_shell-execution-via-flock-linux.txt  [T1083]  Shell Execution via Flock - Linux
  T1059_shell-execution-via-git-linux.txt  [T1059]  Shell Execution via Git - Linux
  T1083_shell-execution-via-nice-linux.txt  [T1083]  Shell Execution via Nice - Linux
  T1059_shell-execution-via-rsync-linux.txt  [T1059]  Shell Execution via Rsync - Linux
  T1059_shell-invocation-via-ssh-linux.txt  [T1059]  Shell Invocation Via Ssh - Linux
  T1059.004_shell-invocation-via-env-command-linux.txt  [T1059.004]  Shell Invocation via Env Command - Linux
  T1112_shimcache-flush.txt  [T1112]  ShimCache Flush
  T1574.001_small-sieve-malware-commandline-indicator.txt  [T1574.001]  Small Sieve Malware CommandLine Indicator
  T1036.005_small-sieve-malware-file-indicator-creation.txt  [T1036.005]  Small Sieve Malware File Indicator Creation
  small-sieve-malware-registry-persistence.txt  []  Small Sieve Malware Registry Persistence
  T1059.003_sofacy-trojan-loader-activity.txt  [T1059.003,T1218.011]  Sofacy Trojan Loader Activity
  T1068_sudo-privilege-escalation-cve-2019-14287.txt  [T1068,T1548.003]  Sudo Privilege Escalation CVE-2019-14287
  T1505.003_suspicious-aspx-file-drop-by-exchange.txt  [T1505.003]  Suspicious ASPX File Drop by Exchange
  T1685_suspicious-application-allowed-through-exploit-guard.txt  [T1685]  Suspicious Application Allowed Through Exploit Guard
  T1059_suspicious-arcsoc-exe-child-process.txt  [T1059,T1203]  Suspicious ArcSOC.exe Child Process
  T1204_suspicious-binaries-and-scripts-in-public-folder.txt  [T1204]  Suspicious Binaries and Scripts in Public Folder
  T1204.002_suspicious-binary-in-user-directory-spawned-from-office-appl.txt  [T1204.002]  Suspicious Binary In User Directory Spawned From Office Application
  T1219.002_suspicious-binary-writes-via-anydesk.txt  [T1219.002]  Suspicious Binary Writes Via AnyDesk
  T1021.003_suspicious-bitlocker-access-agent-update-utility-execution.txt  [T1021.003,T1218]  Suspicious BitLocker Access Agent Update Utility Execution
  T1036_suspicious-calculator-usage.txt  [T1036]  Suspicious Calculator Usage
  T1123_suspicious-camera-and-microphone-access.txt  [T1123,T1125]  Suspicious Camera and Microphone Access
  T1134.002_suspicious-child-process-created-as-system.txt  [T1134.002]  Suspicious Child Process Created as System
  T1059.005_suspicious-child-process-of-bginfo-exe.txt  [T1059.005,T1202,T1218]  Suspicious Child Process Of BgInfo.EXE
  T1102_suspicious-child-process-of-manage-engine-servicedesk.txt  [T1102]  Suspicious Child Process Of Manage Engine ServiceDesk
  T1190_suspicious-child-process-of-sql-server.txt  [T1190,T1505.003]  Suspicious Child Process Of SQL Server
  T1036_suspicious-child-process-of-wermgr-exe.txt  [T1036,T1055]  Suspicious Child Process Of Wermgr.EXE
  T1127_suspicious-child-process-of-aspnetcompiler.txt  [T1127]  Suspicious Child Process of AspNetCompiler
  T1195.002_suspicious-child-process-of-notepad-updater-gup-exe.txt  [T1195.002,T1557]  Suspicious Child Process of Notepad++ Updater - GUP.Exe
  T1190_suspicious-child-process-of-solarwinds-webhelpdesk.txt  [T1190]  Suspicious Child Process of SolarWinds WebHelpDesk
  T1176.001_suspicious-chromium-browser-instance-executed-with-custom-ex.txt  [T1176.001]  Suspicious Chromium Browser Instance Executed With Custom Extension
  T1204.001_suspicious-clickfix-filefix-execution-pattern.txt  [T1204.001,T1204.004]  Suspicious ClickFix/FileFix Execution Pattern
  T1053.005_suspicious-command-patterns-in-scheduled-task-creation.txt  [T1053.005]  Suspicious Command Patterns In Scheduled Task Creation
  T1564_suspicious-creation-with-colorcpl.txt  [T1564]  Suspicious Creation with Colorcpl
  T1105_suspicious-curl-exe-download.txt  [T1105]  Suspicious Curl.EXE Download
  T1216_suspicious-customshellhost-execution.txt  [T1216]  Suspicious CustomShellHost Execution
  T1546.008_suspicious-debugger-registration-cmdline.txt  [T1546.008]  Suspicious Debugger Registration Cmdline
  T1105_suspicious-desktopimgdownldr-command.txt  [T1105]  Suspicious Desktopimgdownldr Command
  T1105_suspicious-desktopimgdownldr-target-file.txt  [T1105]  Suspicious Desktopimgdownldr Target File
  T1218_suspicious-dotnet-clr-usage-log-artifact.txt  [T1218]  Suspicious DotNET CLR Usage Log Artifact
  T1566.001_suspicious-double-extension-file-execution.txt  [T1566.001]  Suspicious Double Extension File Execution
  T1036.007_suspicious-double-extension-files.txt  [T1036.007]  Suspicious Double Extension Files
  T1059.004_suspicious-download-and-execute-pattern-via-curl-wget.txt  [T1059.004,T1203]  Suspicious Download and Execute Pattern via Curl/Wget
  T1105_suspicious-download-from-office-domain.txt  [T1105,T1608]  Suspicious Download from Office Domain
  T1027_suspicious-encoded-and-obfuscated-reflection-assembly-load-f.txt  [T1027,T1059.001]  Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
  suspicious-environment-variable-has-been-registered.txt  []  Suspicious Environment Variable Has Been Registered
  T1564_suspicious-executable-file-creation.txt  [T1564]  Suspicious Executable File Creation
  T1566.001_suspicious-execution-from-outlook-temporary-folder.txt  [T1566.001]  Suspicious Execution From Outlook Temporary Folder
  suspicious-execution-location-of-wermgr-exe.txt  []  Suspicious Execution Location Of Wermgr.EXE
  T1588.002_suspicious-execution-of-renamed-sysinternals-tools-registry.txt  [T1588.002]  Suspicious Execution Of Renamed Sysinternals Tools - Registry
  T1027.010_suspicious-explorer-process-with-whitespace-padding-clickfix.txt  [T1027.010,T1204.004]  Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
  suspicious-file-created-via-onenote-application.txt  []  Suspicious File Created Via OneNote Application
  T1105_suspicious-file-created-by-arcsoc-exe.txt  [T1105,T1127,T1133]  Suspicious File Created by ArcSOC.exe
  T1566.001_suspicious-file-created-in-outlook-temporary-directory.txt  [T1566.001]  Suspicious File Created in Outlook Temporary Directory
  suspicious-file-creation-activity-from-fake-recycle-bin-fold.txt  []  Suspicious File Creation Activity From Fake Recycle.Bin Folder
  suspicious-file-creation-in-uncommon-appdata-folder.txt  []  Suspicious File Creation In Uncommon AppData Folder
  T1190_suspicious-file-write-to-sharepoint-layouts-directory.txt  [T1190,T1505.003]  Suspicious File Write to SharePoint Layouts Directory
  T1204.004_suspicious-filefix-execution-pattern.txt  [T1204.004]  Suspicious FileFix Execution Pattern
  T1027_suspicious-filename-with-embedded-base64-commands.txt  [T1027,T1059.004]  Suspicious Filename with Embedded Base64 Commands
  T1574.001_suspicious-gup-usage.txt  [T1574.001]  Suspicious GUP Usage
  T1027_suspicious-get-variable-exe-creation.txt  [T1027,T1546]  Suspicious Get-Variable.exe Creation
  T1547_suspicious-grpconv-execution.txt  [T1547]  Suspicious GrpConv Execution
  T1059.003_suspicious-hwp-sub-processes.txt  [T1059.003,T1203,T1566.001]  Suspicious HWP Sub Processes
  T1505.004_suspicious-iis-module-registration.txt  [T1505.004]  Suspicious IIS Module Registration
  T1059.001_suspicious-interactive-powershell-as-system.txt  [T1059.001]  Suspicious Interactive PowerShell as SYSTEM
  T1059_suspicious-invocation-of-shell-via-awk-linux.txt  [T1059]  Suspicious Invocation of Shell via AWK - Linux
  T1059_suspicious-invocation-of-shell-via-rsync.txt  [T1059,T1203]  Suspicious Invocation of Shell via Rsync
  T1059_suspicious-java-children-processes.txt  [T1059]  Suspicious Java Children Processes
  T1082_suspicious-kernel-dump-using-dtrace.txt  [T1082]  Suspicious Kernel Dump Using Dtrace
  T1204.002_suspicious-lnk-command-line-padding-with-whitespace-characte.txt  [T1204.002]  Suspicious LNK Command-Line Padding with Whitespace Characters
  T1003_suspicious-loading-of-dbgcore-dbghelp-dlls-from-uncommon-loc.txt  [T1003,T1685]  Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
  T1190_suspicious-msexchangemailboxreplication-aspx-write.txt  [T1190,T1505.003]  Suspicious MSExchangeMailboxReplication ASPX Write
  T1059.002_suspicious-microsoft-office-child-process-macos.txt  [T1059.002,T1137.002,T1204.002]  Suspicious Microsoft Office Child Process - MacOS
  T1053.005_suspicious-modification-of-scheduled-tasks.txt  [T1053.005]  Suspicious Modification Of Scheduled Tasks
  T1543.003_suspicious-new-service-creation.txt  [T1543.003]  Suspicious New Service Creation
  suspicious-nohup-execution.txt  []  Suspicious Nohup Execution
  suspicious-obfuscated-powershell-code.txt  []  Suspicious Obfuscated PowerShell Code
  T1204.002_suspicious-outlook-child-process.txt  [T1204.002]  Suspicious Outlook Child Process
  T1008_suspicious-outlook-macro-created.txt  [T1008,T1137,T1546]  Suspicious Outlook Macro Created
  T1036.007_suspicious-parent-double-extension-file-execution.txt  [T1036.007]  Suspicious Parent Double Extension File Execution
  T1685_suspicious-path-in-keyboard-layout-ime-file-registry-value.txt  [T1685]  Suspicious Path In Keyboard Layout IME File Registry Value
  T1070.004_suspicious-ping-del-command-combination.txt  [T1070.004]  Suspicious Ping/Del Command Combination
  T1059.001_suspicious-powershell-download-and-execute-pattern.txt  [T1059.001]  Suspicious PowerShell Download and Execute Pattern
  T1059.001_suspicious-powershell-iex-execution-patterns.txt  [T1059.001]  Suspicious PowerShell IEX Execution Patterns
  T1059.001_suspicious-powershell-parameter-substring.txt  [T1059.001]  Suspicious PowerShell Parameter Substring
  T1574_suspicious-printer-driver-empty-manufacturer.txt  [T1574]  Suspicious Printer Driver Empty Manufacturer
  T1059.001_suspicious-printerports-creation-cve-2020-1048.txt  [T1059.001]  Suspicious PrinterPorts Creation (CVE-2020-1048)
  T1190_suspicious-process-by-web-server-process.txt  [T1190,T1505.003]  Suspicious Process By Web Server Process
  T1047_suspicious-process-created-via-wmic-exe.txt  [T1047]  Suspicious Process Created Via Wmic.EXE
  suspicious-process-execution-from-fake-recycle-bin-folder.txt  []  Suspicious Process Execution From Fake Recycle.Bin Folder
  T1003.003_suspicious-process-patterns-ntds-dit-exfil.txt  [T1003.003]  Suspicious Process Patterns NTDS.DIT Exfil
  T1059.003_suspicious-process-spawned-by-centrestack-portal-apppool.txt  [T1059.003,T1505.003]  Suspicious Process Spawned by CentreStack Portal AppPool
  suspicious-processes-spawned-by-java-exe.txt  []  Suspicious Processes Spawned by Java.EXE
  T1190_suspicious-processes-spawned-by-winrm.txt  [T1190]  Suspicious Processes Spawned by WinRM
  T1059_suspicious-program-names.txt  [T1059]  Suspicious Program Names
  T1218_suspicious-provlaunch-exe-child-process.txt  [T1218]  Suspicious Provlaunch.EXE Child Process
  T1021.001_suspicious-rdp-redirect-using-tscon.txt  [T1021.001,T1563.002]  Suspicious RDP Redirect Using TSCON
  T1553_suspicious-razerinstaller-explorer-subprocess.txt  [T1553]  Suspicious RazerInstaller Explorer Subprocess
  T1059.005_suspicious-reconnaissance-activity-via-gathernetworkinfo-vbs.txt  [T1059.005,T1615]  Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
  T1048_suspicious-redirection-to-local-admin-share.txt  [T1048]  Suspicious Redirection to Local Admin Share
  T1486_suspicious-reg-add-bitlocker.txt  [T1486]  Suspicious Reg Add BitLocker
  T1059_suspicious-remote-child-process-from-outlook.txt  [T1059,T1202]  Suspicious Remote Child Process From Outlook
  T1547.001_suspicious-run-key-from-download.txt  [T1547.001]  Suspicious Run Key from Download
  T1218.011_suspicious-rundll32-activity-invoking-sys-file.txt  [T1218.011]  Suspicious Rundll32 Activity Invoking Sys File
  T1055_suspicious-rundll32-invoking-inline-vbscript.txt  [T1055]  Suspicious Rundll32 Invoking Inline VBScript
  T1003_suspicious-system-user-process-creation.txt  [T1003,T1027,T1134]  Suspicious SYSTEM User Process Creation
  T1053.005_suspicious-scheduled-task-creation-involving-temp-folder.txt  [T1053.005]  Suspicious Scheduled Task Creation Involving Temp Folder
  T1053_suspicious-scheduled-task-write-to-system32-tasks.txt  [T1053]  Suspicious Scheduled Task Write to System32 Tasks
  T1053.005_suspicious-schtasks-execution-appdata-folder.txt  [T1053.005,T1059.001]  Suspicious Schtasks Execution AppData Folder
  T1555_suspicious-serv-u-process-pattern.txt  [T1555]  Suspicious Serv-U Process Pattern
  T1202_suspicious-service-binary-directory.txt  [T1202]  Suspicious Service Binary Directory
  T1543.003_suspicious-service-path-modification.txt  [T1543.003]  Suspicious Service Path Modification
  T1218.011_suspicious-shellexec-rundll-call-via-ordinal.txt  [T1218.011]  Suspicious ShellExec_RunDLL Call Via Ordinal
  suspicious-shells-spawn-by-java-utility-keytool.txt  []  Suspicious Shells Spawn by Java Utility Keytool
  T1546.011_suspicious-shim-database-patching-activity.txt  [T1546.011]  Suspicious Shim Database Patching Activity
  T1027.010_suspicious-space-characters-in-runmru-registry-path-clickfix.txt  [T1027.010,T1204.004]  Suspicious Space Characters in RunMRU Registry Path - ClickFix
  T1027.010_suspicious-space-characters-in-typedpaths-registry-path-file.txt  [T1027.010,T1204.004]  Suspicious Space Characters in TypedPaths Registry Path - FileFix
  T1021.003_suspicious-speech-runtime-binary-child-process.txt  [T1021.003,T1218]  Suspicious Speech Runtime Binary Child Process
  T1202_suspicious-splwow64-without-params.txt  [T1202]  Suspicious Splwow64 Without Params
  T1204.002_suspicious-startup-folder-persistence.txt  [T1204.002,T1547.001]  Suspicious Startup Folder Persistence
  T1219.002_suspicious-tscon-start-as-system.txt  [T1219.002]  Suspicious TSCON Start as SYSTEM
  T1021.005_suspicious-ultravnc-execution.txt  [T1021.005]  Suspicious UltraVNC Execution
  suspicious-usage-of-shellexec-rundll.txt  []  Suspicious Usage Of ShellExec_RunDLL
  T1547.001_suspicious-vbscript-un2452-pattern.txt  [T1547.001]  Suspicious VBScript UN2452 Pattern
  T1219_suspicious-velociraptor-child-process.txt  [T1219]  Suspicious Velociraptor Child Process
  T1048.003_suspicious-webdav-client-execution-via-rundll32-exe.txt  [T1048.003]  Suspicious WebDav Client Execution Via Rundll32.EXE
  T1047_suspicious-wmiprvse-child-process.txt  [T1047,T1204.002,T1218.010]  Suspicious WmiPrvSE Child Process
  T1587_suspicious-word-cab-file-write-cve-2021-40444.txt  [T1587]  Suspicious Word Cab File Write CVE-2021-40444
  T1685.006_syslog-clearing-or-removal-via-system-utilities.txt  [T1685.006]  Syslog Clearing or Removal Via System Utilities
  T1685_sysmon-driver-altitude-change.txt  [T1685]  Sysmon Driver Altitude Change
  T1574.001_system-control-panel-item-loaded-from-uncommon-location.txt  [T1574.001]  System Control Panel Item Loaded From Uncommon Location
  T1036_system-file-execution-location-anomaly.txt  [T1036]  System File Execution Location Anomaly
  T1055.001_taidoor-rat-dll-load.txt  [T1055.001]  TAIDOOR RAT DLL Load
  T1685_tamper-windows-defender-remove-mppreference.txt  [T1685]  Tamper Windows Defender Remove-MpPreference
  T1685_tamper-with-sophos-av-registry-keys.txt  [T1685]  Tamper With Sophos AV Registry Keys
  T1685_taskkill-symantec-endpoint-protection.txt  [T1685]  Taskkill Symantec Endpoint Protection
  T1036_taskmgr-as-local-system.txt  [T1036]  Taskmgr as LOCAL_SYSTEM
  T1574.001_tasks-folder-evasion.txt  [T1574.001]  Tasks Folder Evasion
  T1195.002_teampcp-litellm-supply-chain-attack-persistence-indicators.txt  [T1195.002,T1543.002]  TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
  T1003.001_time-travel-debugging-utility-usage.txt  [T1003.001,T1218]  Time Travel Debugging Utility Usage
  T1003.001_time-travel-debugging-utility-usage-image.txt  [T1003.001,T1218]  Time Travel Debugging Utility Usage - Image
  T1559_trickbot-malware-activity.txt  [T1559]  Trickbot Malware Activity
  triple-cross-ebpf-rootkit-default-lockfile.txt  []  Triple Cross eBPF Rootkit Default LockFile
  T1053.003_triple-cross-ebpf-rootkit-default-persistence.txt  [T1053.003]  Triple Cross eBPF Rootkit Default Persistence
  triple-cross-ebpf-rootkit-execve-hijack.txt  []  Triple Cross eBPF Rootkit Execve Hijack
  T1014_triple-cross-ebpf-rootkit-install-commands.txt  [T1014]  Triple Cross eBPF Rootkit Install Commands
  T1059.001_tropictrooper-campaign-november-2018.txt  [T1059.001]  TropicTrooper Campaign November 2018
  T1112_trust-access-disable-for-vbapplications.txt  [T1112]  Trust Access Disable For VBApplications
  T1548.002_trusted-path-bypass-via-windows-directory-spoofing.txt  [T1548.002,T1574.007]  Trusted Path Bypass via Windows Directory Spoofing
  T1548.002_uac-bypass-abusing-winsat-path-parsing-file.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - File
  T1548.002_uac-bypass-abusing-winsat-path-parsing-process.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - Process
  T1548.002_uac-bypass-abusing-winsat-path-parsing-registry.txt  [T1548.002]  UAC Bypass Abusing Winsat Path Parsing - Registry
  T1548.002_uac-bypass-tools-using-computerdefaults.txt  [T1548.002]  UAC Bypass Tools Using ComputerDefaults
  T1548.002_uac-bypass-using-net-code-profiler-on-mmc.txt  [T1548.002]  UAC Bypass Using .NET Code Profiler on MMC
  T1548.002_uac-bypass-using-changepk-and-slui.txt  [T1548.002]  UAC Bypass Using ChangePK and SLUI
  T1548.002_uac-bypass-using-consent-and-comctl32-file.txt  [T1548.002]  UAC Bypass Using Consent and Comctl32 - File
  T1548.002_uac-bypass-using-consent-and-comctl32-process.txt  [T1548.002]  UAC Bypass Using Consent and Comctl32 - Process
  T1548.002_uac-bypass-using-disk-cleanup.txt  [T1548.002]  UAC Bypass Using Disk Cleanup
  T1548.002_uac-bypass-using-dismhost.txt  [T1548.002]  UAC Bypass Using DismHost
  uac-bypass-using-event-viewer-recentviews.txt  []  UAC Bypass Using Event Viewer RecentViews
  uac-bypass-using-eventvwr.txt  []  UAC Bypass Using EventVwr
  T1548.002_uac-bypass-using-idiagnostic-profile.txt  [T1548.002]  UAC Bypass Using IDiagnostic Profile
  T1548.002_uac-bypass-using-idiagnostic-profile-file.txt  [T1548.002]  UAC Bypass Using IDiagnostic Profile - File
  T1548.002_uac-bypass-using-ieinstal-file.txt  [T1548.002]  UAC Bypass Using IEInstal - File
  T1548.002_uac-bypass-using-ieinstal-process.txt  [T1548.002]  UAC Bypass Using IEInstal - Process
  T1548.002_uac-bypass-using-iscsicpl-imageload.txt  [T1548.002]  UAC Bypass Using Iscsicpl - ImageLoad
  T1548.002_uac-bypass-using-msconfig-token-modification-file.txt  [T1548.002]  UAC Bypass Using MSConfig Token Modification - File
  T1548.002_uac-bypass-using-msconfig-token-modification-process.txt  [T1548.002]  UAC Bypass Using MSConfig Token Modification - Process
  T1548.002_uac-bypass-using-ntfs-reparse-point-file.txt  [T1548.002]  UAC Bypass Using NTFS Reparse Point - File
  T1548.002_uac-bypass-using-ntfs-reparse-point-process.txt  [T1548.002]  UAC Bypass Using NTFS Reparse Point - Process
  T1548.002_uac-bypass-using-pkgmgr-and-dism.txt  [T1548.002]  UAC Bypass Using PkgMgr and DISM
  T1548.002_uac-bypass-using-windows-media-player-file.txt  [T1548.002]  UAC Bypass Using Windows Media Player - File
  T1548.002_uac-bypass-using-windows-media-player-process.txt  [T1548.002]  UAC Bypass Using Windows Media Player - Process
  T1548.002_uac-bypass-using-windows-media-player-registry.txt  [T1548.002]  UAC Bypass Using Windows Media Player - Registry
  T1548.002_uac-bypass-via-wsreset.txt  [T1548.002]  UAC Bypass Via Wsreset
  T1548.002_uac-bypass-wsreset.txt  [T1548.002]  UAC Bypass WSReset
  T1548.002_uac-bypass-with-fake-dll.txt  [T1548.002,T1574.001]  UAC Bypass With Fake DLL
  T1548.002_uac-bypass-via-event-viewer.txt  [T1548.002]  UAC Bypass via Event Viewer
  T1548.002_uac-bypass-via-sdclt.txt  [T1548.002]  UAC Bypass via Sdclt
  T1542.001_uefi-persistence-via-wpbbin-filecreation.txt  [T1542.001]  UEFI Persistence Via Wpbbin - FileCreation
  T1542.001_uefi-persistence-via-wpbbin-processcreation.txt  [T1542.001]  UEFI Persistence Via Wpbbin - ProcessCreation
  T1059.001_unc2452-process-creation-patterns.txt  [T1059.001]  UNC2452 Process Creation Patterns
  unc4841-barracuda-esg-exploitation-indicators.txt  []  UNC4841 - Barracuda ESG Exploitation Indicators
  T1140_unc4841-download-compressed-files-from-temp-sh-using-wget.txt  [T1140]  UNC4841 - Download Compressed Files From Temp.sh Using Wget
  T1140_unc4841-download-tar-file-from-untrusted-direct-ip-via-wget.txt  [T1140]  UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
  unc4841-email-exfiltration-file-pattern.txt  []  UNC4841 - Email Exfiltration File Pattern
  T1140_unc4841-ssl-certificate-exfiltration-via-openssl.txt  [T1140]  UNC4841 - SSL Certificate Exfiltration Via Openssl
  T1202_uncommon-child-process-of-setres-exe.txt  [T1202,T1218]  Uncommon Child Process Of Setres.EXE
  T1685_uncommon-extension-in-keyboard-layout-ime-file-registry-valu.txt  [T1685]  Uncommon Extension In Keyboard Layout IME File Registry Value
  T1587.001_uncommon-file-created-in-office-startup-folder.txt  [T1587.001]  Uncommon File Created In Office Startup Folder
  T1195.002_uncommon-file-created-by-notepad-updater-gup-exe.txt  [T1195.002,T1557]  Uncommon File Created by Notepad++ Updater Gup.EXE
  uncommon-file-creation-by-mysql-daemon-process.txt  []  Uncommon File Creation By Mysql Daemon Process
  uncommon-filesystem-load-attempt-by-format-com.txt  []  Uncommon FileSystem Load Attempt By Format.com
  T1112_uncommon-microsoft-office-trusted-location-added.txt  [T1112]  Uncommon Microsoft Office Trusted Location Added
  T1685_uninstall-crowdstrike-falcon-sensor.txt  [T1685]  Uninstall Crowdstrike Falcon Sensor
  T1133_unusual-child-process-of-dns-exe.txt  [T1133]  Unusual Child Process of dns.exe
  T1133_unusual-file-deletion-by-dns-exe.txt  [T1133]  Unusual File Deletion by Dns.exe
  T1133_unusual-file-modification-by-dns-exe.txt  [T1133]  Unusual File Modification by dns.exe
  T1059_ursnif-redirection-of-discovery-commands.txt  [T1059]  Ursnif Redirection Of Discovery Commands
  T1098_user-added-to-highly-privileged-group.txt  [T1098]  User Added To Highly Privileged Group
  T1021.001_user-added-to-remote-desktop-users-group.txt  [T1021.001,T1133,T1136.001]  User Added to Remote Desktop Users Group
  T1574.008_using-settingsynchost-exe-as-lolbin.txt  [T1574.008]  Using SettingSyncHost.exe as LOLBin
  T1204.002_vba-dll-loaded-via-office-application.txt  [T1204.002]  VBA DLL Loaded Via Office Application
  T1547.001_vbscript-payload-stored-in-registry.txt  [T1547.001]  VBScript Payload Stored in Registry
  T1005_veeambackup-database-credentials-dump-via-sqlcmd-exe.txt  [T1005]  VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
  T1059_vim-gtfobin-abuse-linux.txt  [T1059,T1083]  Vim GTFOBin Abuse - Linux
  T1027.004_visual-basic-command-line-compiler-usage.txt  [T1027.004]  Visual Basic Command Line Compiler Usage
  T1003.002_volumeshadowcopy-symlink-creation-via-mklink.txt  [T1003.002,T1003.003]  VolumeShadowCopy Symlink Creation Via Mklink
  T1547_winekey-registry-modification.txt  [T1547]  WINEKEY Registry Modification
  T1546.003_wmi-persistence-command-line-event-consumer.txt  [T1546.003]  WMI Persistence - Command Line Event Consumer
  T1546.003_wmi-persistence-script-event-consumer-file-write.txt  [T1546.003]  WMI Persistence - Script Event Consumer File Write
  T1202_wsl-kali-linux-usage.txt  [T1202]  WSL Kali-Linux Usage
  T1059.005_wscript-or-cscript-dropper-file.txt  [T1059.005,T1059.007]  WScript or CScript Dropper - File
  wab-execution-from-non-default-location.txt  []  Wab Execution From Non Default Location
  wab-wabmig-unusual-parent-or-child-processes.txt  []  Wab/Wabmig Unusual Parent Or Child Processes
  T1112_wdigest-credguard-registry-modification.txt  [T1112]  Wdigest CredGuard Registry Modification
  T1112_wdigest-enable-uselogoncredential.txt  [T1112]  Wdigest Enable UseLogonCredential
  T1018_webshell-hacking-activity-patterns.txt  [T1018,T1033,T1087,T1505.003]  Webshell Hacking Activity Patterns
  T1505.003_webshell-tool-reconnaissance-activity.txt  [T1505.003]  Webshell Tool Reconnaissance Activity
  T1003.001_werfault-lsass-process-memory-dump.txt  [T1003.001]  WerFault LSASS Process Memory Dump
  T1033_whoami-as-parameter.txt  [T1033]  WhoAmI as Parameter
  T1547.001_winrar-creating-files-in-startup-locations.txt  [T1547.001]  WinRAR Creating Files in Startup Locations
  T1036_windows-binaries-write-suspicious-extensions.txt  [T1036]  Windows Binaries Write Suspicious Extensions
  T1685_windows-credential-guard-disabled-registry.txt  [T1685]  Windows Credential Guard Disabled - Registry
  T1685_windows-credential-guard-related-registry-value-deleted-regi.txt  [T1685]  Windows Credential Guard Related Registry Value Deleted - Registry
  T1685_windows-defender-service-disabled-registry.txt  [T1685]  Windows Defender Service Disabled - Registry
  T1685_windows-defender-threat-severity-default-action-modified.txt  [T1685]  Windows Defender Threat Severity Default Action Modified
  T1685_windows-hypervisor-enforced-code-integrity-disabled.txt  [T1685]  Windows Hypervisor Enforced Code Integrity Disabled
  T1059_windows-shell-scripting-application-file-write-to-suspicious.txt  [T1059]  Windows Shell/Scripting Application File Write to Suspicious Folder
  T1059.001_windows-shell-scripting-processes-spawning-suspicious-progra.txt  [T1059.001,T1059.005,T1218]  Windows Shell/Scripting Processes Spawning Suspicious Programs
  T1059_windows-suspicious-child-process-from-node-js-react2shell.txt  [T1059,T1190]  Windows Suspicious Child Process from Node.js - React2Shell
  T1685_windows-vulnerable-driver-blocklist-disabled.txt  [T1685]  Windows Vulnerable Driver Blocklist Disabled
  T1547.004_winlogon-notify-key-logon-persistence.txt  [T1547.004]  Winlogon Notify Key Logon Persistence
  T1021.002_wmiprvse-wbemcomn-dll-hijack.txt  [T1021.002,T1047]  Wmiprvse Wbemcomn DLL Hijack
  wusa-exe-executed-by-parent-process-located-in-suspicious-lo.txt  []  Wusa.EXE Executed By Parent Process Located In Suspicious Location
