threatengine.sh Sigma export
backend: cortex_xdr (one .txt per rule, the rendered query)
rules: 559

files:
  T1069.002_adexplorer-writing-complete-ad-snapshot-into-dat-file.txt  [T1069.002,T1087.002,T1482]  ADExplorer Writing Complete AD Snapshot Into .dat File
  T1070.004_ads-zone-identifier-deleted-by-uncommon-application.txt  [T1070.004]  ADS Zone.Identifier Deleted By Uncommon Application
  T1001.003_adsi-cache-file-creation-by-uncommon-tool.txt  [T1001.003]  ADSI-Cache File Creation By Uncommon Tool
  T1216_awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xs.txt  [T1216]  AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
  T1216_awl-bypass-with-winrm-vbs-and-malicious-wsmpty-xsl-wsmtxt-xs_2.txt  [T1216]  AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
  T1218_abusing-print-executable.txt  [T1218]  Abusing Print Executable
  T1592.004_access-of-sudoers-file-content.txt  [T1592.004]  Access of Sudoers File Content
  T1112_activate-suppression-of-windows-security-center-notification.txt  [T1112]  Activate Suppression of Windows Security Center Notifications
  add-debugger-entry-to-aedebug-for-persistence.txt  []  Add Debugger Entry To AeDebug For Persistence
  T1112_add-disallowrun-execution-to-registry.txt  [T1112]  Add DisallowRun Execution to Registry
  T1547.010_add-port-monitor-persistence-in-registry.txt  [T1547.010]  Add Port Monitor Persistence in Registry
  T1046_advanced-ip-scanner-file-event.txt  [T1046]  Advanced IP Scanner - File Event
  T1112_allow-rdp-remote-assistance-feature.txt  [T1112]  Allow RDP Remote Assistance Feature
  T1548.002_always-install-elevated-windows-installer.txt  [T1548.002]  Always Install Elevated Windows Installer
  amsi-dll-loaded-via-lolbin-process.txt  []  Amsi.DLL Loaded Via LOLBIN Process
  T1219.002_anydesk-temporary-artefact.txt  [T1219.002]  Anydesk Temporary Artefact
  T1105_arbitrary-file-download-via-gfxdownloadwrapper-exe.txt  [T1105]  Arbitrary File Download Via GfxDownloadWrapper.EXE
  T1218_arbitrary-file-download-via-squirrel-exe.txt  [T1218]  Arbitrary File Download Via Squirrel.EXE
  T1218_arbitrary-msi-download-via-devinit-exe.txt  [T1218]  Arbitrary MSI Download Via Devinit.EXE
  T1204_arbitrary-shell-command-execution-via-settingcontent-ms.txt  [T1204,T1566.001]  Arbitrary Shell Command Execution Via Settingcontent-Ms
  T1127_aspnetcompiler-execution.txt  [T1127]  AspNetCompiler Execution
  assembly-dll-creation-via-aspnetcompiler.txt  []  Assembly DLL Creation Via AspNetCompiler
  T1216_assembly-loading-via-cl-loadassembly-ps1.txt  [T1216]  Assembly Loading Via CL_LoadAssembly.ps1
  T1218_atbroker-registry-change.txt  [T1218,T1547]  Atbroker Registry Change
  T1123_audio-capture-via-powershell.txt  [T1123]  Audio Capture via PowerShell
  T1123_audio-capture-via-soundrecorder.txt  [T1123]  Audio Capture via SoundRecorder
  T1059.004_bpftrace-unsafe-option-usage.txt  [T1059.004]  BPFtrace Unsafe Option Usage
  T1490_backup-files-deleted.txt  [T1490]  Backup Files Deleted
  T1185_browser-started-with-remote-debugging.txt  [T1185]  Browser Started with Remote Debugging
  T1204.002_clr-dll-loaded-via-office-applications.txt  [T1204.002]  CLR DLL Loaded Via Office Applications
  T1546.015_com-hijacking-via-treatas.txt  [T1546.015]  COM Hijacking via TreatAs
  T1218_com-object-execution-via-xwizard-exe.txt  [T1218]  COM Object Execution via Xwizard.EXE
  T1569.002_csexec-service-file-creation.txt  [T1569.002]  CSExec Service File Creation
  cve-2024-1708-screenconnect-path-traversal-exploitation.txt  []  CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
  cab-file-extraction-via-wusa-exe.txt  []  Cab File Extraction Via Wusa.EXE
  T1059.001_certificate-exported-via-powershell.txt  [T1059.001,T1552.004]  Certificate Exported Via PowerShell
  T1574.011_changing-existing-service-imagepath-value-via-reg-exe.txt  [T1574.011]  Changing Existing Service ImagePath Value Via Reg.EXE
  T1222.002_chmod-targeting-sensitive-directories.txt  [T1222.002]  Chmod Targeting Sensitive Directories
  T1176.001_chromium-browser-instance-executed-with-custom-extension.txt  [T1176.001]  Chromium Browser Instance Executed With Custom Extension
  T1059_clfs-sys-loaded-by-process-located-in-a-potential-suspicious.txt  [T1059]  Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
  clickonce-deployment-execution-dfsvc-exe-child-process.txt  []  ClickOnce Deployment Execution - Dfsvc.EXE Child Process
  T1112_clickonce-trust-prompt-tampering.txt  [T1112]  ClickOnce Trust Prompt Tampering
  T1059.002_clipboard-access-via-osascript.txt  [T1059.002,T1115]  Clipboard Access Via OSAScript
  T1115_clipboard-data-collection-via-pbpaste.txt  [T1115]  Clipboard Data Collection Via Pbpaste
  T1090.001_cloudflared-portable-execution.txt  [T1090.001]  Cloudflared Portable Execution
  T1090_cloudflared-tunnel-connections-cleanup.txt  [T1090,T1102,T1572]  Cloudflared Tunnel Connections Cleanup
  T1090_cloudflared-tunnel-execution.txt  [T1090,T1102,T1572]  Cloudflared Tunnel Execution
  T1059.001_command-line-execution-with-suspicious-url-and-appdata-strin.txt  [T1059.001,T1059.003,T1105]  Command Line Execution with Suspicious URL and AppData Strings
  T1078.001_commvault-qlogin-with-publicsharinguser-and-guid-password-cv.txt  [T1078.001]  Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
  T1560.001_compress-data-and-lock-with-password-for-exfiltration-with-w.txt  [T1560.001]  Compress Data and Lock With Password for Exfiltration With WINZIP
  T1059_conhost-spawned-by-uncommon-parent-process.txt  [T1059]  Conhost Spawned By Uncommon Parent Process
  T1614.001_console-codepage-lookup-via-chcp.txt  [T1614.001]  Console CodePage Lookup Via CHCP
  T1112_crashcontrol-crashdump-disabled.txt  [T1112,T1564]  CrashControl CrashDump Disabled
  T1055_created-files-by-microsoft-sync-center.txt  [T1055,T1218]  Created Files by Microsoft Sync Center
  T1574.001_creation-of-non-existent-system-dll.txt  [T1574.001]  Creation Of Non-Existent System DLL
  T1574.001_creation-of-werfault-exe-wer-dll-in-unusual-folder.txt  [T1574.001]  Creation of WerFault.exe/Wer.dll in Unusual Folder
  creation-of-a-diagcab.txt  []  Creation of a Diagcab
  T1555.001_credentials-from-password-stores-keychain.txt  [T1555.001]  Credentials from Password Stores - Keychain
  cscript-wscript-potentially-suspicious-child-process.txt  []  Cscript/Wscript Potentially Suspicious Child Process
  T1071.001_curl-exe-execution-with-custom-useragent.txt  [T1071.001]  Curl.EXE Execution With Custom UserAgent
  T1547.001_currentcontrolset-autorun-keys-modification.txt  [T1547.001]  CurrentControlSet Autorun Keys Modification
  T1574_dll-execution-via-register-cimprovider-exe.txt  [T1574]  DLL Execution Via Register-cimprovider.exe
  T1070_dll-load-by-system-process-from-suspicious-locations.txt  [T1070]  DLL Load By System Process From Suspicious Locations
  T1574.001_dll-names-used-by-svr-for-graphicalproton-backdoor.txt  [T1574.001]  DLL Names Used By SVR For GraphicalProton Backdoor
  T1112_dns-over-https-enabled-by-registry.txt  [T1112,T1140]  DNS-over-HTTPS Enabled by Registry
  T1059_darkgate-autoit3-exe-file-creation-by-uncommon-process.txt  [T1059,T1105]  DarkGate - Autoit3.EXE File Creation By Uncommon Process
  T1059_darkgate-drop-darkgate-loader-in-c-temp-directory.txt  [T1059]  DarkGate - Drop DarkGate Loader In C:\Temp Directory
  T1003.001_dbghelp-dbgcore-dll-loaded-by-uncommon-suspicious-process.txt  [T1003.001]  Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
  T1053.005_defrag-deactivation.txt  [T1053.005]  Defrag Deactivation
  delete-defender-scan-shellex-context-menu-registry-key.txt  []  Delete Defender Scan ShellEx Context Menu Registry Key
  T1547.009_desktop-ini-created-by-uncommon-process.txt  [T1547.009]  Desktop.INI Created by Uncommon Process
  T1518_detected-windows-software-discovery.txt  [T1518]  Detected Windows Software Discovery
  T1218_devicecredentialdeployment-execution.txt  [T1218]  DeviceCredentialDeployment Execution
  T1070.005_disable-administrative-share-creation-at-startup.txt  [T1070.005]  Disable Administrative Share Creation at Startup
  T1685_disable-exploit-guard-network-protection-on-windows-defender.txt  [T1685]  Disable Exploit Guard Network Protection on Windows Defender
  T1112_disable-internal-tools-or-feature-in-registry.txt  [T1112]  Disable Internal Tools or Feature in Registry
  T1686.003_disable-microsoft-defender-firewall-via-registry.txt  [T1686.003]  Disable Microsoft Defender Firewall via Registry
  T1489_disable-or-stop-services.txt  [T1489,T1685]  Disable Or Stop Services
  T1685_disable-privacy-settings-experience-in-registry.txt  [T1685]  Disable Privacy Settings Experience in Registry
  T1685_disable-security-tools.txt  [T1685]  Disable Security Tools
  T1685_disable-tamper-protection-on-windows-defender.txt  [T1685]  Disable Tamper Protection on Windows Defender
  T1686.003_disable-windows-firewall-by-registry.txt  [T1686.003]  Disable Windows Firewall by Registry
  T1112_disable-windows-security-center-notifications.txt  [T1112]  Disable Windows Security Center Notifications
  T1686_disabling-security-tools.txt  [T1686]  Disabling Security Tools
  disk-image-creation-via-hdiutil-macos.txt  []  Disk Image Creation Via Hdiutil - MacOS
  T1560.001_disk-image-mounting-via-hdiutil-macos.txt  [T1560.001,T1566.001]  Disk Image Mounting Via Hdiutil - MacOS
  T1218_diskshadow-child-process-spawned.txt  [T1218]  Diskshadow Child Process Spawned
  T1685_dism-remove-online-package.txt  [T1685]  Dism Remove Online Package
  T1564.001_displaying-hidden-files-feature-disabled.txt  [T1564.001]  Displaying Hidden Files Feature Disabled
  T1204.002_dotnet-assembly-dll-loaded-via-office-application.txt  [T1204.002]  DotNET Assembly DLL Loaded Via Office Application
  T1105_download-file-to-potentially-suspicious-directory-via-wget.txt  [T1105]  Download File To Potentially Suspicious Directory Via Wget
  drop-binaries-into-spool-drivers-color-folder.txt  []  Drop Binaries Into Spool Drivers Color Folder
  T1556.002_dropping-of-password-filter-dll.txt  [T1556.002]  Dropping Of Password Filter DLL
  T1003.001_dumping-process-via-sqldumper-exe.txt  [T1003.001]  Dumping Process via Sqldumper.exe
  T1027.004_dynamic-net-compilation-via-csc-exe.txt  [T1027.004]  Dynamic .NET Compilation Via Csc.EXE
  T1027.004_dynamic-net-compilation-via-csc-exe-hunting.txt  [T1027.004]  Dynamic .NET Compilation Via Csc.EXE - Hunting
  T1059.012_esxi-account-creation-via-esxcli.txt  [T1059.012,T1136]  ESXi Account Creation Via ESXCLI
  T1007_esxi-network-configuration-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi Network Configuration Discovery Via ESXCLI
  T1007_esxi-storage-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi Storage Information Discovery Via ESXCLI
  T1059.012_esxi-syslog-configuration-change-via-esxcli.txt  [T1059.012,T1685,T1690]  ESXi Syslog Configuration Change Via ESXCLI
  T1007_esxi-system-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi System Information Discovery Via ESXCLI
  T1059.012_esxi-vm-kill-via-esxcli.txt  [T1059.012,T1529]  ESXi VM Kill Via ESXCLI
  T1007_esxi-vm-list-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi VM List Discovery Via ESXCLI
  T1007_esxi-vsan-information-discovery-via-esxcli.txt  [T1007,T1033,T1059.012]  ESXi VSAN Information Discovery Via ESXCLI
  T1685.001_evtx-created-in-uncommon-location.txt  [T1685.001]  EVTX Created In Uncommon Location
  enable-bpf-kprobes-tracing.txt  []  Enable BPF Kprobes Tracing
  enable-local-manifest-installation-with-winget.txt  []  Enable Local Manifest Installation With Winget
  T1559.002_enable-microsoft-dynamic-data-exchange.txt  [T1559.002]  Enable Microsoft Dynamic Data Exchange
  T1685_enable-remote-connection-between-anonymous-computer-allowano.txt  [T1685]  Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
  T1574.012_enabling-cor-profiler-environment-variables.txt  [T1574.012]  Enabling COR Profiler Environment Variables
  T1552.002_enumeration-for-3rd-party-creds-from-cli.txt  [T1552.002]  Enumeration for 3rd Party Creds From CLI
  T1552.002_enumeration-for-credentials-in-registry.txt  [T1552.002]  Enumeration for Credentials in Registry
  T1003_esentutl-gather-credentials.txt  [T1003,T1003.003]  Esentutl Gather Credentials
  T1070_eventlog-evtx-file-deleted.txt  [T1070]  EventLog EVTX File Deleted
  T1059.001_execute-code-with-pester-bat.txt  [T1059.001,T1216]  Execute Code with Pester.bat
  T1059.001_execute-code-with-pester-bat-as-parent.txt  [T1059.001,T1216]  Execute Code with Pester.bat as Parent
  T1218_execute-files-with-msdeploy-exe.txt  [T1218]  Execute Files with Msdeploy.exe
  T1564.004_execute-from-alternate-data-streams.txt  [T1564.004]  Execute From Alternate Data Streams
  T1505.003_execution-from-webserver-root-folder.txt  [T1505.003]  Execution From Webserver Root Folder
  execution-of-script-located-in-potentially-suspicious-direct.txt  []  Execution Of Script Located In Potentially Suspicious Directory
  T1203_exploit-for-cve-2017-0261.txt  [T1203,T1204.002,T1566.001]  Exploit for CVE-2017-0261
  T1036_explorer-process-tree-break.txt  [T1036]  Explorer Process Tree Break
  T1070.004_file-deleted-via-sysinternals-sdelete.txt  [T1070.004]  File Deleted Via Sysinternals SDelete
  T1105_file-download-from-browser-process-via-inline-url.txt  [T1105]  File Download From Browser Process Via Inline URL
  T1105_file-download-via-curl-exe.txt  [T1105]  File Download Via Curl.EXE
  T1105_file-download-via-nscurl-macos.txt  [T1105]  File Download Via Nscurl - MacOS
  T1070.006_file-time-attribute-change.txt  [T1070.006]  File Time Attribute Change
  T1222.001_file-or-folder-permissions-modifications.txt  [T1222.001]  File or Folder Permissions Modifications
  T1036.005_files-with-system-dll-name-in-unsuspected-locations.txt  [T1036.005]  Files With System DLL Name In Unsuspected Locations
  T1036.005_files-with-system-process-name-in-unsuspected-locations.txt  [T1036.005]  Files With System Process Name In Unsuspected Locations
  T1686_flush-iptables-ufw-chain.txt  [T1686]  Flush Iptables Ufw Chain
  T1074.001_folder-compress-to-potentially-suspicious-output-via-compres.txt  [T1074.001]  Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
  T1685.001_forest-blizzard-apt-javascript-constrained-file-creation.txt  [T1685.001]  Forest Blizzard APT - JavaScript Constrained File Creation
  gathernetworkinfo-vbs-reconnaissance-script-output.txt  []  GatherNetworkInfo.VBS Reconnaissance Script Output
  T1219.002_gotoassist-temporary-installation-artefact.txt  [T1219.002]  GoToAssist Temporary Installation Artefact
  T1615_gpresult-display-group-policy-information.txt  [T1615]  Gpresult Display Group Policy Information
  T1531_group-has-been-deleted-via-groupdel.txt  [T1531]  Group Has Been Deleted Via Groupdel
  T1132.001_gzip-archive-decode-via-powershell.txt  [T1132.001]  Gzip Archive Decode Via PowerShell
  T1059.003_hacktool-jlaive-in-memory-assembly-execution.txt  [T1059.003]  HackTool - Jlaive In-Memory Assembly Execution
  hacktool-lazagne-execution.txt  []  HackTool - LaZagne Execution
  T1021.006_hacktool-winrm-access-via-evil-winrm.txt  [T1021.006]  HackTool - WinRM Access Via Evil-WinRM
  T1059.001_headless-process-launched-via-conhost-exe.txt  [T1059.001,T1059.003]  Headless Process Launched Via Conhost.EXE
  T1105_hidden-flag-set-on-file-directory-via-chflags-macos.txt  [T1105,T1218,T1552.001,T1564.004]  Hidden Flag Set On File/Directory Via Chflags - MacOS
  T1059.001_hidden-powershell-in-link-file-pattern.txt  [T1059.001]  Hidden Powershell in Link File Pattern
  T1564.002_hidden-user-creation.txt  [T1564.002]  Hidden User Creation
  T1564.002_hiding-user-account-via-specialaccounts-registry-key-command.txt  [T1564.002]  Hiding User Account Via SpecialAccounts Registry Key - CommandLine
  T1137_ie-change-domain-zone.txt  [T1137]  IE Change Domain Zone
  T1070_iis-webserver-access-logs-deleted.txt  [T1070]  IIS WebServer Access Logs Deleted
  T1566.001_iso-or-image-mount-indicator-in-recent-files.txt  [T1566.001]  ISO or Image Mount Indicator in Recent Files
  T1059.001_import-powershell-modules-from-suspicious-directories-proccr.txt  [T1059.001]  Import PowerShell Modules From Suspicious Directories - ProcCreation
  T1685.006_indicator-removal-on-host-clear-mac-system-logs.txt  [T1685.006]  Indicator Removal on Host - Clear Mac System Logs
  T1202_indirect-command-execution-via-sftp-proxycommand.txt  [T1202]  Indirect Command Execution via SFTP ProxyCommand
  T1218_infdefaultinstall-exe-inf-execution.txt  [T1218]  InfDefaultInstall.exe .inf Execution
  T1219.002_installation-of-teamviewer-desktop.txt  [T1219.002]  Installation of TeamViewer Desktop
  T1036_interactive-bash-suspicious-children.txt  [T1036,T1059.004]  Interactive Bash Suspicious Children
  T1547.001_internet-explorer-autorun-keys-modification.txt  [T1547.001]  Internet Explorer Autorun Keys Modification
  internet-explorer-disablefirstruncustomize-enabled.txt  []  Internet Explorer DisableFirstRunCustomize Enabled
  T1003.003_invocation-of-active-directory-diagnostic-tool-ntdsutil-exe.txt  [T1003.003]  Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  T1027_invoke-obfuscation-compress-obfuscation.txt  [T1027,T1059.001]  Invoke-Obfuscation COMPRESS OBFUSCATION
  jamf-mdm-potential-suspicious-child-process.txt  []  JAMF MDM Potential Suspicious Child Process
  T1203_java-running-with-remote-debugging.txt  [T1203]  Java Running with Remote Debugging
  T1553.003_kapeka-backdoor-configuration-persistence.txt  [T1553.003]  Kapeka Backdoor Configuration Persistence
  T1543.001_launch-agent-daemon-execution-via-launchctl.txt  [T1543.001,T1543.004,T1569.001]  Launch Agent/Daemon Execution Via Launchctl
  T1216.001_launch-vsdevshell-ps1-proxy-execution.txt  [T1216.001]  Launch-VsDevShell.PS1 Proxy Execution
  T1140_linux-base64-encoded-pipe-to-shell.txt  [T1140]  Linux Base64 Encoded Pipe to Shell
  T1140_linux-base64-encoded-shebang-in-cli.txt  [T1140]  Linux Base64 Encoded Shebang In CLI
  T1548_linux-doas-conf-file-creation.txt  [T1548]  Linux Doas Conf File Creation
  T1685.006_linux-logs-clearing-attempts.txt  [T1685.006]  Linux Logs Clearing Attempts
  T1140_linux-shell-pipe-to-shell.txt  [T1140]  Linux Shell Pipe to Shell
  livekd-driver-creation.txt  []  LiveKD Driver Creation
  T1218_lolbin-runexehelper-use-as-proxy.txt  [T1218]  Lolbin Runexehelper Use As Proxy
  T1059.005_mmc-loading-script-engines-dlls.txt  [T1059.005,T1218.014]  MMC Loading Script Engines DLLs
  T1505.002_msexchange-transport-agent-installation.txt  [T1505.002]  MSExchange Transport Agent Installation
  T1546.014_macos-emond-launch-daemon.txt  [T1546.014]  MacOS Emond Launch Daemon
  T1059.002_macos-scripting-interpreter-applescript.txt  [T1059.002]  MacOS Scripting Interpreter AppleScript
  T1218_malicious-pe-execution-by-microsoft-visual-studio-debugger.txt  [T1218]  Malicious PE Execution by Microsoft Visual Studio Debugger
  T1059_manual-execution-of-script-inside-of-a-compressed-file.txt  [T1059]  Manual Execution of Script Inside of a Compressed File
  T1204.002_microsoft-excel-add-in-loaded-from-uncommon-location.txt  [T1204.002]  Microsoft Excel Add-In Loaded From Uncommon Location
  T1112_microsoft-office-trusted-location-updated.txt  [T1112]  Microsoft Office Trusted Location Updated
  T1055_microsoft-sync-center-suspicious-network-connections.txt  [T1055,T1218]  Microsoft Sync Center Suspicious Network Connections
  T1204.002_microsoft-vba-for-outlook-addin-loaded-via-outlook.txt  [T1204.002]  Microsoft VBA For Outlook Addin Loaded Via Outlook
  T1564_mount-execution-with-hidepid-parameter.txt  [T1564]  Mount Execution With Hidepid Parameter
  T1105_msiexec-web-install.txt  [T1105,T1218.007]  MsiExec Web Install
  T1220_msxsl-exe-execution.txt  [T1220]  Msxsl.EXE Execution
  T1112_new-bginfo-exe-custom-db-path-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom DB Path Registry Configuration
  T1112_new-bginfo-exe-custom-vbscript-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom VBScript Registry Configuration
  T1112_new-bginfo-exe-custom-wmi-query-registry-configuration.txt  [T1112]  New BgInfo.EXE Custom WMI Query Registry Configuration
  T1547.009_new-custom-shim-database-created.txt  [T1547.009]  New Custom Shim Database Created
  T1490_new-file-exclusion-added-to-time-machine-via-tmutil-macos.txt  [T1490]  New File Exclusion Added To Time Machine Via Tmutil - MacOS
  T1543.003_new-kernel-driver-via-sc-exe.txt  [T1543.003]  New Kernel Driver Via SC.EXE
  T1008_new-outlook-macro-created.txt  [T1008,T1137,T1546]  New Outlook Macro Created
  T1090_new-portproxy-registry-entry-added.txt  [T1090]  New PortProxy Registry Entry Added
  T1490_new-root-or-ca-or-authroot-certificate-to-store.txt  [T1490]  New Root or CA or AuthRoot Certificate to Store
  T1059.007_node-process-executions.txt  [T1059.007,T1127]  Node Process Executions
  T1059.004_nohup-execution.txt  [T1059.004]  Nohup Execution
  obfuscated-ip-download-activity.txt  []  Obfuscated IP Download Activity
  obfuscated-ip-via-cli.txt  []  Obfuscated IP Via CLI
  T1137.002_office-application-startup-office-test.txt  [T1137.002]  Office Application Startup - Office Test
  old-tls1-0-tls1-1-protocol-version-enabled.txt  []  Old TLS1.0/TLS1.1 Protocol Version Enabled
  onenote-attachment-file-dropped-in-suspicious-location.txt  []  OneNote Attachment File Dropped In Suspicious Location
  T1021.004_openedr-spawning-command-shell.txt  [T1021.004,T1059.003,T1219]  OpenEDR Spawning Command Shell
  T1059.002_osacompile-execution-by-potentially-suspicious-applet-osascr.txt  [T1059.002]  Osacompile Execution By Potentially Suspicious Applet/Osascript
  T1137_outlook-security-settings-updated-registry.txt  [T1137]  Outlook Security Settings Updated - Registry
  psscriptpolicytest-creation-by-uncommon-process.txt  []  PSScriptPolicyTest Creation By Uncommon Process
  T1056.002_pua-mouse-lock-execution.txt  [T1056.002]  PUA - Mouse Lock Execution
  T1588.002_pua-sysinternals-tools-execution-registry.txt  [T1588.002]  PUA - Sysinternals Tools Execution - Registry
  T1083_pua-trufflehog-execution.txt  [T1083,T1552.001]  PUA - TruffleHog Execution
  T1083_pua-trufflehog-execution-linux.txt  [T1083,T1552.001]  PUA - TruffleHog Execution - Linux
  T1546.002_path-to-screensaver-binary-modified.txt  [T1546.002]  Path To Screensaver Binary Modified
  T1059_payload-decoded-and-decrypted-via-built-in-utilities.txt  [T1059,T1140,T1204]  Payload Decoded and Decrypted via Built-in Utilities
  T1113_periodic-backup-for-system-registry-hives-enabled.txt  [T1113]  Periodic Backup For System Registry Hives Enabled
  persistence-via-disk-cleanup-handler-autorun.txt  []  Persistence Via Disk Cleanup Handler - Autorun
  T1553.003_persistence-via-new-sip-provider.txt  [T1553.003]  Persistence Via New SIP Provider
  T1548.003_persistence-via-sudoers-d-files.txt  [T1548.003]  Persistence Via Sudoers.d Files
  persistence-via-typedpaths-commandline.txt  []  Persistence Via TypedPaths - CommandLine
  T1046_pnscan-binary-data-transmission-activity.txt  [T1046]  Pnscan Binary Data Transmission Activity
  T1021.001_port-forwarding-activity-via-ssh-exe.txt  [T1021.001,T1021.004,T1572]  Port Forwarding Activity Via SSH.EXE
  T1685_potential-amsi-bypass-using-null-bits.txt  [T1685]  Potential AMSI Bypass Using NULL Bits
  T1059.001_potential-apt-fin7-exploitation-activity.txt  [T1059.001,T1059.003]  Potential APT FIN7 Exploitation Activity
  T1218.010_potential-apt-c-12-bluemushroom-dll-load-activity-via-regsvr.txt  [T1218.010]  Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
  T1574.001_potential-avkkid-dll-sideloading.txt  [T1574.001]  Potential AVKkid.DLL Sideloading
  T1219.002_potential-amazon-ssm-agent-hijacking.txt  [T1219.002]  Potential Amazon SSM Agent Hijacking
  T1574.001_potential-antivirus-software-dll-sideloading.txt  [T1574.001]  Potential Antivirus Software DLL Sideloading
  T1027.004_potential-application-whitelisting-bypass-via-dnx-exe.txt  [T1027.004,T1218]  Potential Application Whitelisting Bypass via Dnx.EXE
  potential-binary-or-script-dropper-via-powershell.txt  []  Potential Binary Or Script Dropper Via PowerShell
  T1574.001_potential-ccleanerdu-dll-sideloading.txt  [T1574.001]  Potential CCleanerDU.DLL Sideloading
  T1574.001_potential-ccleanerreactivator-dll-sideloading.txt  [T1574.001]  Potential CCleanerReactivator.DLL Sideloading
  T1546.015_potential-com-object-hijacking-via-treatas-subkey-registry.txt  [T1546.015]  Potential COM Object Hijacking Via TreatAs Subkey - Registry
  T1105_potential-com-objects-download-cradles-usage-process-creatio.txt  [T1105]  Potential COM Objects Download Cradles Usage - Process Creation
  T1059.006_potential-cve-2022-22954-exploitation-attempt-vmware-workspa.txt  [T1059.006,T1190]  Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
  potential-cve-2023-36874-exploitation-uncommon-report-wer-lo.txt  []  Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
  potential-cve-2023-36884-exploitation-dropped-file.txt  []  Potential CVE-2023-36884 Exploitation Dropped File
  potential-cve-2024-3400-exploitation-palo-alto-globalprotect.txt  []  Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
  T1068_potential-cve-2024-35250-exploitation-activity.txt  [T1068]  Potential CVE-2024-35250 Exploitation Activity
  T1574.001_potential-chrome-frame-helper-dll-sideloading.txt  [T1574.001]  Potential Chrome Frame Helper DLL Sideloading
  T1036_potential-command-line-path-traversal-evasion-attempt.txt  [T1036]  Potential Command Line Path Traversal Evasion Attempt
  T1027_potential-commandline-obfuscation-using-unicode-characters.txt  [T1027]  Potential CommandLine Obfuscation Using Unicode Characters
  T1140_potential-commandline-obfuscation-using-escape-characters.txt  [T1140]  Potential Commandline Obfuscation Using Escape Characters
  T1003_potential-credential-dumping-attempt-using-new-networkprovid.txt  [T1003]  Potential Credential Dumping Attempt Using New NetworkProvider - REG
  T1059.001_potential-dll-file-download-via-powershell-invoke-webrequest.txt  [T1059.001,T1105]  Potential DLL File Download Via PowerShell Invoke-WebRequest
  T1574.001_potential-dll-sideloading-of-dbgcore-dll.txt  [T1574.001]  Potential DLL Sideloading Of DBGCORE.DLL
  T1574.001_potential-dll-sideloading-of-dbghelp-dll.txt  [T1574.001]  Potential DLL Sideloading Of DBGHELP.DLL
  T1574.001_potential-dll-sideloading-of-dbgmodel-dll.txt  [T1574.001]  Potential DLL Sideloading Of DbgModel.DLL
  T1574.001_potential-dll-sideloading-of-libcurl-dll-via-gup-exe.txt  [T1574.001]  Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
  T1574.001_potential-dll-sideloading-of-mpsvc-dll.txt  [T1574.001]  Potential DLL Sideloading Of MpSvc.DLL
  T1574.001_potential-dll-sideloading-of-mscorsvc-dll.txt  [T1574.001]  Potential DLL Sideloading Of MsCorSvc.DLL
  T1055_potential-dll-sideloading-using-coregen-exe.txt  [T1055,T1218]  Potential DLL Sideloading Using Coregen.exe
  T1574.001_potential-dll-sideloading-via-classicexplorer32-dll.txt  [T1574.001]  Potential DLL Sideloading Via ClassicExplorer32.dll
  T1574.001_potential-dll-sideloading-via-jsschhlp.txt  [T1574.001]  Potential DLL Sideloading Via JsSchHlp
  T1105_potential-data-exfiltration-via-curl-exe.txt  [T1105,T1567]  Potential Data Exfiltration Via Curl.EXE
  T1083_potential-discovery-activity-using-find-linux.txt  [T1083]  Potential Discovery Activity Using Find - Linux
  T1083_potential-discovery-activity-using-find-macos.txt  [T1083]  Potential Discovery Activity Using Find - MacOS
  potential-discovery-activity-via-dnscmd-exe.txt  []  Potential Discovery Activity Via Dnscmd.EXE
  T1059_potential-dosfuscation-activity.txt  [T1059]  Potential Dosfuscation Activity
  T1105_potential-download-upload-activity-using-type-command.txt  [T1105]  Potential Download/Upload Activity Using Type Command
  T1059.005_potential-dropper-script-execution-via-wscript-cscript-mshta.txt  [T1059.005,T1059.007]  Potential Dropper Script Execution Via WScript/CScript/MSHTA
  potential-encrypted-registry-blob-related-to-snake-malware.txt  []  Potential Encrypted Registry Blob Related To SNAKE Malware
  T1003_potential-exploitation-of-cve-2025-5054-or-cve-2025-4598.txt  [T1003,T1548]  Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
  T1036_potential-fake-instance-of-hxtsr-exe-executed.txt  [T1036]  Potential Fake Instance Of Hxtsr.EXE Executed
  T1218_potential-file-download-via-ms-appinstaller-protocol-handler.txt  [T1218]  Potential File Download Via MS-AppInstaller Protocol Handler
  T1574.001_potential-goopdate-dll-sideloading.txt  [T1574.001]  Potential Goopdate.DLL Sideloading
  T1564.004_potential-hidden-directory-creation-via-ntfs-index-allocatio.txt  [T1564.004]  Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
  T1564.004_potential-hidden-directory-creation-via-ntfs-index-allocatio_2.txt  [T1564.004]  Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
  T1036_potential-homoglyph-attack-using-lookalike-characters.txt  [T1036,T1036.003]  Potential Homoglyph Attack Using Lookalike Characters
  T1036_potential-homoglyph-attack-using-lookalike-characters-in-fil.txt  [T1036,T1036.003]  Potential Homoglyph Attack Using Lookalike Characters in Filename
  T1059.007_potential-in-memory-download-and-compile-of-payloads.txt  [T1059.007,T1105]  Potential In-Memory Download And Compile Of Payloads
  T1566_potential-initial-access-via-dll-search-order-hijacking.txt  [T1566,T1566.001,T1574,T1574.001]  Potential Initial Access via DLL Search Order Hijacking
  T1059_potential-kamikakabot-activity-lure-document-execution.txt  [T1059]  Potential KamiKakaBot Activity - Lure Document Execution
  potential-kamikakabot-activity-shutdown-schedule-task-creati.txt  []  Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
  T1021.006_potential-lateral-movement-via-windows-remote-shell.txt  [T1021.006]  Potential Lateral Movement via Windows Remote Shell
  T1574.001_potential-libvlc-dll-sideloading.txt  [T1574.001]  Potential Libvlc.DLL Sideloading
  T1219.002_potential-linux-amazon-ssm-agent-hijacking.txt  [T1219.002]  Potential Linux Amazon SSM Agent Hijacking
  T1055.009_potential-linux-process-code-injection-via-dd-utility.txt  [T1055.009]  Potential Linux Process Code Injection Via DD Utility
  T1059_potential-moveit-transfer-cve-2023-34362-exploitation-dynami.txt  [T1059]  Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  T1574.001_potential-mfdetours-dll-sideloading.txt  [T1574.001]  Potential Mfdetours.DLL Sideloading
  T1127_potential-mftrace-exe-abuse.txt  [T1127]  Potential Mftrace.EXE Abuse
  T1040_potential-network-sniffing-activity-using-network-tools.txt  [T1040]  Potential Network Sniffing Activity Using Network Tools
  T1036.003_potential-pendingfilerenameoperations-tampering.txt  [T1036.003]  Potential PendingFileRenameOperations Tampering
  potential-persistence-attempt-via-errorhandler-cmd.txt  []  Potential Persistence Attempt Via ErrorHandler.Cmd
  T1543.003_potential-persistence-attempt-via-existing-service-tampering.txt  [T1543.003,T1574.011]  Potential Persistence Attempt Via Existing Service Tampering
  T1547.001_potential-persistence-attempt-via-run-keys-using-reg-exe.txt  [T1547.001]  Potential Persistence Attempt Via Run Keys Using Reg.EXE
  T1546.015_potential-persistence-using-debugpath.txt  [T1546.015]  Potential Persistence Using DebugPath
  T1546.011_potential-persistence-via-appcompat-registerapprestart-layer.txt  [T1546.011]  Potential Persistence Via AppCompat RegisterAppRestart Layer
  T1112_potential-persistence-via-custom-protocol-handler.txt  [T1112]  Potential Persistence Via Custom Protocol Handler
  T1112_potential-persistence-via-event-viewer-events-asp.txt  [T1112]  Potential Persistence Via Event Viewer Events.asp
  T1037.001_potential-persistence-via-logon-scripts-registry.txt  [T1037.001]  Potential Persistence Via Logon Scripts - Registry
  T1546.007_potential-persistence-via-netsh-helper-dll-registry.txt  [T1546.007]  Potential Persistence Via Netsh Helper DLL - Registry
  potential-persistence-via-new-amsi-providers-registry.txt  []  Potential Persistence Via New AMSI Providers - Registry
  potential-persistence-via-notepad-plugins.txt  []  Potential Persistence Via Notepad++ Plugins
  T1546.015_potential-persistence-via-scrobj-dll-com-hijacking.txt  [T1546.015]  Potential Persistence Via Scrobj.dll COM Hijacking
  T1137.006_potential-persistence-via-visual-studio-tools-for-office.txt  [T1137.006]  Potential Persistence Via Visual Studio Tools for Office
  T1059.003_potential-pikabot-infection-suspicious-command-combinations.txt  [T1059.003,T1105,T1218]  Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
  T1552.001_potential-powershell-console-history-access-attempt-via-hist.txt  [T1552.001]  Potential PowerShell Console History Access Attempt via History File
  T1059.001_potential-powershell-downgrade-attack.txt  [T1059.001]  Potential PowerShell Downgrade Attack
  potential-powershell-execution-policy-tampering.txt  []  Potential PowerShell Execution Policy Tampering
  T1216_potential-process-execution-proxy-via-cl-invocation-ps1.txt  [T1216]  Potential Process Execution Proxy Via CL_Invocation.ps1
  T1218_potential-provlaunch-exe-binary-proxy-execution-abuse.txt  [T1218]  Potential Provlaunch.EXE Binary Proxy Execution Abuse
  T1574_potential-registry-persistence-attempt-via-dbgmanageddebugge.txt  [T1574]  Potential Registry Persistence Attempt Via DbgManagedDebugger
  T1218.010_potential-regsvr32-commandline-flag-anomaly.txt  [T1218.010]  Potential Regsvr32 Commandline Flag Anomaly
  T1021_potential-remote-desktop-tunneling.txt  [T1021]  Potential Remote Desktop Tunneling
  T1574.001_potential-rjvplatform-dll-sideloading-from-default-location.txt  [T1574.001]  Potential RjvPlatform.DLL Sideloading From Default Location
  T1574.001_potential-roboform-dll-sideloading.txt  [T1574.001]  Potential RoboForm.DLL Sideloading
  potential-ruby-reverse-shell.txt  []  Potential Ruby Reverse Shell
  T1059.003_potential-sap-netweaver-webshell-creation.txt  [T1059.003,T1190]  Potential SAP NetWeaver Webshell Creation
  T1059.003_potential-sap-netweaver-webshell-creation-linux.txt  [T1059.003,T1190]  Potential SAP NetWeaver Webshell Creation - Linux
  T1216_potential-script-proxy-execution-via-cl-mutexverifiers-ps1.txt  [T1216]  Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
  potential-sentinelone-shell-context-menu-scan-command-tamper.txt  []  Potential SentinelOne Shell Context Menu Scan Command Tampering
  T1574.001_potential-shelldispatch-dll-sideloading.txt  [T1574.001]  Potential ShellDispatch.DLL Sideloading
  T1574.001_potential-solidpdfcreator-dll-sideloading.txt  [T1574.001]  Potential SolidPDFCreator.DLL Sideloading
  T1204.002_potential-suspicious-browser-launch-from-document-reader-pro.txt  [T1204.002]  Potential Suspicious Browser Launch From Document Reader Process
  T1565.001_potential-suspicious-change-to-sensitive-critical-files.txt  [T1565.001]  Potential Suspicious Change To Sensitive/Critical Files
  potential-suspicious-powershell-module-file-created.txt  []  Potential Suspicious PowerShell Module File Created
  potential-suspicious-windows-feature-enabled-proccreation.txt  []  Potential Suspicious Windows Feature Enabled - ProcCreation
  T1548.002_potential-uac-bypass-via-sdclt-exe.txt  [T1548.002]  Potential UAC Bypass Via Sdclt.EXE
  T1574.001_potential-vivaldi-elf-dll-sideloading.txt  [T1574.001]  Potential Vivaldi_elf.DLL Sideloading
  T1574.001_potential-wwlib-dll-sideloading.txt  [T1574.001]  Potential WWlib.DLL Sideloading
  T1574.001_potential-wazuh-security-platform-dll-sideloading.txt  [T1574.001]  Potential Wazuh Security Platform DLL Sideloading
  T1505.003_potential-webshell-creation-on-static-website.txt  [T1505.003]  Potential Webshell Creation On Static Website
  potential-xcsset-malware-infection.txt  []  Potential XCSSET Malware Infection
  T1059_potential-xterm-reverse-shell.txt  [T1059]  Potential Xterm Reverse Shell
  T1090.004_potentially-suspicious-azure-front-door-connection.txt  [T1090.004,T1102.002]  Potentially Suspicious Azure Front Door Connection
  T1218_potentially-suspicious-cabinet-file-expansion.txt  [T1218]  Potentially Suspicious Cabinet File Expansion
  potentially-suspicious-child-process-of-clickonce-applicatio.txt  []  Potentially Suspicious Child Process Of ClickOnce Application
  T1218_potentially-suspicious-child-process-of-diskshadow-exe.txt  [T1218]  Potentially Suspicious Child Process Of DiskShadow.EXE
  T1202_potentially-suspicious-child-process-of-vscode.txt  [T1202,T1218]  Potentially Suspicious Child Process Of VsCode
  T1528_potentially-suspicious-command-targeting-teams-sensitive-fil.txt  [T1528]  Potentially Suspicious Command Targeting Teams Sensitive Files
  potentially-suspicious-dmp-hdmp-file-creation.txt  []  Potentially Suspicious DMP/HDMP File Creation
  T1112_potentially-suspicious-desktop-background-change-via-registr.txt  [T1112,T1491.001]  Potentially Suspicious Desktop Background Change Via Registry
  T1036_potentially-suspicious-execution-from-tmp-folder.txt  [T1036]  Potentially Suspicious Execution From Tmp Folder
  potentially-suspicious-execution-of-pdqdeployrunner.txt  []  Potentially Suspicious Execution Of PDQDeployRunner
  T1105_potentially-suspicious-file-creation-by-openedr-s-itsmservic.txt  [T1105,T1219,T1570]  Potentially Suspicious File Creation by OpenEDR's ITSMService
  T1528_potentially-suspicious-jwt-token-search-via-cli.txt  [T1528,T1552.001]  Potentially Suspicious JWT Token Search Via CLI
  potentially-suspicious-named-pipe-created-via-mkfifo.txt  []  Potentially Suspicious Named Pipe Created Via Mkfifo
  T1059.001_potentially-suspicious-powershell-child-processes.txt  [T1059.001]  Potentially Suspicious PowerShell Child Processes
  T1059.001_potentially-suspicious-powershell-script-execution-from-temp.txt  [T1059.001]  Potentially Suspicious Powershell Script Execution From Temp Folder
  T1218.011_potentially-suspicious-rundll32-activity.txt  [T1218.011]  Potentially Suspicious Rundll32 Activity
  T1090_potentially-suspicious-usage-of-qemu.txt  [T1090,T1572]  Potentially Suspicious Usage Of Qemu
  potentially-suspicious-wdac-policy-file-creation.txt  []  Potentially Suspicious WDAC Policy File Creation
  T1059.001_potentially-suspicious-webdav-lnk-execution.txt  [T1059.001,T1204]  Potentially Suspicious WebDAV LNK Execution
  potentially-suspicious-windows-app-activity.txt  []  Potentially Suspicious Windows App Activity
  T1070_powershell-console-history-logs-deleted.txt  [T1070]  PowerShell Console History Logs Deleted
  powershell-core-dll-loaded-via-office-application.txt  []  PowerShell Core DLL Loaded Via Office Application
  T1115_powershell-get-clipboard-cmdlet-via-cli.txt  [T1115]  PowerShell Get-Clipboard Cmdlet Via CLI
  powershell-module-file-created-by-non-powershell-process.txt  []  PowerShell Module File Created By Non-PowerShell Process
  T1546.013_powershell-profile-modification.txt  [T1546.013]  PowerShell Profile Modification
  T1059.001_powershell-script-run-in-appdata.txt  [T1059.001]  PowerShell Script Run in AppData
  T1685_powershell-defender-exclusion.txt  [T1685]  Powershell Defender Exclusion
  T1059.001_powershell-inline-execution-from-a-file.txt  [T1059.001]  Powershell Inline Execution From A File
  T1592.004_print-history-file-contents.txt  [T1592.004]  Print History File Contents
  T1003.001_procdump-execution.txt  [T1003.001,T1036]  Procdump Execution
  T1055_process-creation-using-sysnative-folder.txt  [T1055]  Process Creation Using Sysnative Folder
  process-launched-without-image-name.txt  []  Process Launched Without Image Name
  T1068_process-monitor-driver-creation-by-non-sysinternals-binary.txt  [T1068]  Process Monitor Driver Creation By Non-Sysinternals Binary
  T1218_process-proxy-execution-via-squirrel-exe.txt  [T1218]  Process Proxy Execution Via Squirrel.EXE
  publisher-attachment-file-dropped-in-suspicious-location.txt  []  Publisher Attachment File Dropped In Suspicious Location
  T1216.001_pubprn-vbs-proxy-execution.txt  [T1216.001]  Pubprn.vbs Proxy Execution
  T1059.006_python-path-configuration-file-creation-linux.txt  [T1059.006]  Python Path Configuration File Creation - Linux
  T1059.006_python-path-configuration-file-creation-macos.txt  [T1059.006]  Python Path Configuration File Creation - MacOS
  T1059.006_python-path-configuration-file-creation-windows.txt  [T1059.006]  Python Path Configuration File Creation - Windows
  T1059_python-spawning-pretty-tty-via-pty-module.txt  [T1059]  Python Spawning Pretty TTY Via PTY Module
  T1048.003_python-webserver-execution-linux.txt  [T1048.003]  Python WebServer Execution - Linux
  query-usage-to-exfil-data.txt  []  Query Usage To Exfil Data
  T1112_rdp-sensitive-settings-changed-to-zero.txt  [T1112]  RDP Sensitive Settings Changed to Zero
  T1218_register-app-vbs-proxy-execution.txt  [T1218]  REGISTER_APP.VBS Proxy Execution
  T1567.002_rclone-config-file-creation.txt  [T1567.002]  Rclone Config File Creation
  T1057_recon-command-output-piped-to-findstr-exe.txt  [T1057]  Recon Command Output Piped To Findstr.EXE
  register-new-ifiltre-for-persistence.txt  []  Register New IFiltre For Persistence
  T1112_registry-explorer-policy-modification.txt  [T1112]  Registry Explorer Policy Modification
  T1112_registry-hide-function-from-user.txt  [T1112]  Registry Hide Function from User
  T1059.005_registry-modification-attempt-via-vbscript.txt  [T1059.005,T1112]  Registry Modification Attempt Via VBScript
  T1137_registry-modification-to-hidden-file-extension.txt  [T1137]  Registry Modification to Hidden File Extension
  T1027.010_registry-set-with-crypto-classes-from-the-cryptography-power.txt  [T1027.010,T1059.001,T1547.001]  Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
  T1569.002_remcom-service-file-creation.txt  [T1569.002]  RemCom Service File Creation
  T1219.002_remote-access-tool-action1-arbitrary-code-execution-and-remo.txt  [T1219.002]  Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
  remote-access-tool-ammy-admin-agent-execution.txt  []  Remote Access Tool - Ammy Admin Agent Execution
  T1219.002_remote-access-tool-anydesk-piped-password-via-cli.txt  [T1219.002]  Remote Access Tool - AnyDesk Piped Password Via CLI
  remote-access-tool-cmd-exe-execution-via-anyviewer.txt  []  Remote Access Tool - Cmd.EXE Execution via AnyViewer
  T1219.002_remote-access-tool-meshagent-command-execution-via-meshcentr.txt  [T1219.002]  Remote Access Tool - MeshAgent Command Execution via MeshCentral
  T1219.002_remote-access-tool-potential-meshagent-execution-macos.txt  [T1219.002]  Remote Access Tool - Potential MeshAgent Execution - MacOS
  T1219.002_remote-access-tool-potential-meshagent-execution-windows.txt  [T1219.002]  Remote Access Tool - Potential MeshAgent Execution - Windows
  remote-access-tool-rurat-execution-from-unusual-location.txt  []  Remote Access Tool - RURAT Execution From Unusual Location
  T1133_remote-access-tool-screenconnect-installation-execution.txt  [T1133]  Remote Access Tool - ScreenConnect Installation Execution
  T1219.002_remote-access-tool-screenconnect-potential-suspicious-remote.txt  [T1219.002]  Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
  remote-access-tool-screenconnect-remote-command-execution-hu.txt  []  Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
  T1219.002_remote-access-tool-simple-help-execution.txt  [T1219.002]  Remote Access Tool - Simple Help Execution
  T1105_remote-access-tool-tacticalrmm-agent-registration-to-potenti.txt  [T1105,T1219]  Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
  T1204.002_remote-dll-load-via-rundll32-exe.txt  [T1204.002]  Remote DLL Load Via Rundll32.EXE
  T1105_remote-file-download-via-desktopimgdownldr-utility.txt  [T1105]  Remote File Download Via Desktopimgdownldr Utility
  T1021.006_remote-powershell-session-host-process-winrm.txt  [T1021.006,T1059.001]  Remote PowerShell Session Host Process (WinRM)
  T1685_removal-of-index-value-to-hide-schedule-task-registry.txt  [T1685]  Removal Of Index Value to Hide Schedule Task - Registry
  T1685_removal-of-sd-value-to-hide-schedule-task-registry.txt  [T1685]  Removal Of SD Value to Hide Schedule Task - Registry
  T1112_removal-of-potential-com-hijacking-registry-keys.txt  [T1112]  Removal of Potential COM Hijacking Registry Keys
  T1222.002_remove-immutable-file-attribute.txt  [T1222.002]  Remove Immutable File Attribute
  remove-scheduled-cron-task-job.txt  []  Remove Scheduled Cron Task/Job
  renamed-remote-utilities-rat-rurat-execution.txt  []  Renamed Remote Utilities RAT (RURAT) Execution
  T1105_replace-exe-usage.txt  [T1105]  Replace.exe Usage
  T1078_root-account-enable-via-dsenableroot.txt  [T1078,T1078.001,T1078.003]  Root Account Enable Via Dsenableroot
  T1112_run-once-task-configuration-in-registry.txt  [T1112]  Run Once Task Configuration in Registry
  T1218.011_scr-file-write-event.txt  [T1218.011]  SCR File Write Event
  T1053.005_schedule-task-creation-from-env-variable-or-potentially-susp.txt  [T1053.005]  Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
  T1053.003_scheduled-cron-task-job-linux.txt  [T1053.003]  Scheduled Cron Task/Job - Linux
  T1053.003_scheduled-cron-task-job-macos.txt  [T1053.003]  Scheduled Cron Task/Job - MacOs
  T1053.005_scheduled-task-creation-from-potential-suspicious-parent-loc.txt  [T1053.005]  Scheduled Task Creation From Potential Suspicious Parent Location
  T1053.005_scheduled-task-creation-with-curl-and-powershell-execution-c.txt  [T1053.005,T1105,T1218]  Scheduled Task Creation with Curl and PowerShell Execution Combo
  T1113_screen-capture-activity-via-psr-exe.txt  [T1113]  Screen Capture Activity Via Psr.EXE
  T1219.002_screenconnect-temporary-installation-artefact.txt  [T1219.002]  ScreenConnect Temporary Installation Artefact
  screenconnect-user-database-modification.txt  []  ScreenConnect User Database Modification
  T1218.011_screensaver-registry-key-set.txt  [T1218.011]  ScreenSaver Registry Key Set
  T1685_scripted-diagnostics-turn-off-check-enabled-registry.txt  [T1685]  Scripted Diagnostics Turn Off Check Enabled - Registry
  T1218.010_scripting-commandline-process-spawned-regsvr32.txt  [T1218.010]  Scripting/CommandLine Process Spawned Regsvr32
  T1548.002_sdclt-child-processes.txt  [T1548.002]  Sdclt Child Processes
  T1518.001_security-software-discovery-macos.txt  [T1518.001]  Security Software Discovery - MacOs
  T1218_self-extraction-directive-file-created-in-potentially-suspic.txt  [T1218]  Self Extraction Directive File Created In Potentially Suspicious Location
  T1112_service-binary-in-user-controlled-folder.txt  [T1112]  Service Binary in User Controlled Folder
  T1543.003_servicedll-hijack.txt  [T1543.003]  ServiceDll Hijack
  T1546.009_session-manager-autorun-keys-modification.txt  [T1546.009,T1547.001]  Session Manager Autorun Keys Modification
  T1574.005_setup16-exe-execution-with-custom-lst-file.txt  [T1574.005]  Setup16.EXE Execution With Custom .Lst File
  T1083_shell-invocation-via-apt-linux.txt  [T1083]  Shell Invocation via Apt - Linux
  shell-process-spawned-by-java-exe.txt  []  Shell Process Spawned by Java.EXE
  start-of-nt-virtual-dos-machine.txt  []  Start of NT Virtual DOS Machine
  T1547.001_startup-folder-file-write.txt  [T1547.001]  Startup Folder File Write
  T1486_suspicious-appended-extension.txt  [T1486]  Suspicious Appended Extension
  T1059.003_suspicious-child-process-of-sap-netweaver.txt  [T1059.003,T1190]  Suspicious Child Process of SAP NetWeaver
  T1059.003_suspicious-child-process-of-sap-netweaver-linux.txt  [T1059.003,T1190]  Suspicious Child Process of SAP NetWeaver - Linux
  T1036_suspicious-codepage-switch-via-chcp.txt  [T1036]  Suspicious CodePage Switch Via CHCP
  T1486_suspicious-creation-txt-file-in-user-desktop.txt  [T1486]  Suspicious Creation TXT File in User Desktop
  T1187_suspicious-creation-of-library-ms-file-potential-cve-2025-24.txt  [T1187]  Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
  T1059.001_suspicious-crushftp-child-process.txt  [T1059.001,T1059.003,T1190]  Suspicious CrushFTP Child Process
  T1071.001_suspicious-curl-change-user-agents-linux.txt  [T1071.001]  Suspicious Curl Change User Agents - Linux
  T1105_suspicious-curl-file-upload-linux.txt  [T1105,T1567]  Suspicious Curl File Upload - Linux
  T1564.004_suspicious-diantz-alternate-data-stream-execution.txt  [T1564.004]  Suspicious Diantz Alternate Data Stream Execution
  T1105_suspicious-diantz-download-and-compress-into-a-cab-file.txt  [T1105]  Suspicious Diantz Download and Compress Into a CAB File
  T1547_suspicious-driver-install-by-pnputil-exe.txt  [T1547]  Suspicious Driver Install by pnputil.exe
  suspicious-electron-application-child-processes.txt  []  Suspicious Electron Application Child Processes
  suspicious-execution-of-installutil-without-log.txt  []  Suspicious Execution of InstallUtil Without Log
  T1059.001_suspicious-execution-of-powershell-with-base64.txt  [T1059.001]  Suspicious Execution of Powershell with Base64
  T1529_suspicious-execution-of-shutdown.txt  [T1529]  Suspicious Execution of Shutdown
  T1529_suspicious-execution-of-shutdown-to-log-out.txt  [T1529]  Suspicious Execution of Shutdown to Log Out
  T1059_suspicious-execution-via-macos-script-editor.txt  [T1059,T1059.002,T1204,T1204.001,T1553,T1566,T1566.002]  Suspicious Execution via macOS Script Editor
  T1564.004_suspicious-extrac32-alternate-data-stream-execution.txt  [T1564.004]  Suspicious Extrac32 Alternate Data Stream Execution
  T1059_suspicious-file-created-in-perflogs.txt  [T1059]  Suspicious File Created In PerfLogs
  T1190_suspicious-file-drop-by-exchange.txt  [T1190,T1505.003]  Suspicious File Drop by Exchange
  T1190_suspicious-file-write-to-webapps-root-directory.txt  [T1190,T1505.003]  Suspicious File Write to Webapps Root Directory
  T1036.005_suspicious-files-in-default-gpo-folder.txt  [T1036.005]  Suspicious Files in Default GPO Folder
  T1132.001_suspicious-frombase64string-usage-on-gzip-archive-process-cr.txt  [T1132.001]  Suspicious FromBase64String Usage On Gzip Archive - Process Creation
  T1593.003_suspicious-git-clone-linux.txt  [T1593.003]  Suspicious Git Clone - Linux
  T1552.003_suspicious-history-file-operations.txt  [T1552.003]  Suspicious History File Operations
  T1059_suspicious-installer-package-child-process.txt  [T1059,T1059.007,T1071,T1071.001]  Suspicious Installer Package Child Process
  T1588.002_suspicious-keyboard-layout-load.txt  [T1588.002]  Suspicious Keyboard Layout Load
  T1036.007_suspicious-lnk-double-extension-file-created.txt  [T1036.007]  Suspicious LNK Double Extension File Created
  suspicious-macos-firmware-activity.txt  []  Suspicious MacOS Firmware Activity
  T1218.007_suspicious-msiexec-embedding-parent.txt  [T1218.007]  Suspicious MsiExec Embedding Parent
  T1218.007_suspicious-msiexec-execute-arbitrary-dll.txt  [T1218.007]  Suspicious Msiexec Execute Arbitrary DLL
  T1016_suspicious-network-connection-to-ip-lookup-service-apis.txt  [T1016]  Suspicious Network Connection to IP Lookup Service APIs
  suspicious-new-instance-of-an-office-com-object.txt  []  Suspicious New Instance Of An Office COM Object
  T1102_suspicious-non-browser-network-communication-with-telegram-a.txt  [T1102,T1105,T1567]  Suspicious Non-Browser Network Communication With Telegram API
  T1685_suspicious-procexp152-sys-file-created-in-tmp.txt  [T1685]  Suspicious PROCEXP152.sys File Created In TMP
  T1553.004_suspicious-package-installed-linux.txt  [T1553.004]  Suspicious Package Installed - Linux
  T1547.001_suspicious-powershell-in-registry-run-keys.txt  [T1547.001]  Suspicious PowerShell In Registry Run Keys
  T1059.001_suspicious-powershell-invocation-from-script-engines.txt  [T1059.001]  Suspicious PowerShell Invocation From Script Engines
  suspicious-powershell-invocations-specific-processcreation.txt  []  Suspicious PowerShell Invocations - Specific - ProcessCreation
  T1036_suspicious-process-start-locations.txt  [T1036]  Suspicious Process Start Locations
  T1059_suspicious-rasdial-activity.txt  [T1059]  Suspicious RASdial Activity
  T1087.001_suspicious-reconnaissance-activity-using-get-localgroupmembe.txt  [T1087.001]  Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
  T1222.001_suspicious-recursive-takeown.txt  [T1222.001]  Suspicious Recursive Takeown
  suspicious-runas-like-flag-combination.txt  []  Suspicious RunAs-Like Flag Combination
  T1218.011_suspicious-rundll32-setupapi-dll-activity.txt  [T1218.011]  Suspicious Rundll32 Setupapi.dll Activity
  T1059_suspicious-runscripthelper-exe.txt  [T1059,T1202]  Suspicious Runscripthelper.exe
  T1552.006_suspicious-sysvol-domain-group-policy-access.txt  [T1552.006]  Suspicious SYSVOL Domain Group Policy Access
  T1018_suspicious-scan-loop-network.txt  [T1018,T1059]  Suspicious Scan Loop Network
  T1053.005_suspicious-scheduled-task-name-as-guid.txt  [T1053.005]  Suspicious Scheduled Task Name As GUID
  T1546.002_suspicious-screensave-change-by-reg-exe.txt  [T1546.002]  Suspicious ScreenSave Change by Reg.exe
  T1546.002_suspicious-screensaver-binary-file-creation.txt  [T1546.002]  Suspicious Screensaver Binary File Creation
  T1685_suspicious-service-installed.txt  [T1685]  Suspicious Service Installed
  T1221_suspicious-set-value-of-msdt-in-registry-cve-2022-30190.txt  [T1221]  Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
  T1546.001_suspicious-shell-open-command-registry-modification.txt  [T1546.001,T1548.002]  Suspicious Shell Open Command Registry Modification
  T1210_suspicious-sysaidserver-child.txt  [T1210]  Suspicious SysAidServer Child
  T1027.010_suspicious-usage-of-for-loop-with-recursive-directory-search.txt  [T1027.010,T1059.003]  Suspicious Usage of For Loop with Recursive Directory Search in CMD
  T1112_suspicious-vboxdrvinst-exe-parameters.txt  [T1112]  Suspicious VBoxDrvInst.exe Parameters
  T1218_suspicious-vsls-agent-command-with-agentextensionpath-load.txt  [T1218]  Suspicious Vsls-Agent Command With AgentExtensionPath Load
  T1685_suspicious-windows-defender-folder-exclusion-added-via-reg-e.txt  [T1685]  Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
  suspicious-windowsterminal-child-processes.txt  []  Suspicious WindowsTerminal Child Processes
  T1553.004_suspicious-x509enrollment-process-creation.txt  [T1553.004]  Suspicious X509Enrollment - Process Creation
  T1202_suspicious-zipexec-execution.txt  [T1202,T1218]  Suspicious ZipExec Execution
  T1216_syncappvpublishingserver-vbs-execute-arbitrary-powershell-co.txt  [T1216,T1218]  SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
  T1059_sysprep-on-appdata-folder.txt  [T1059]  Sysprep on AppData Folder
  T1082_system-information-discovery-using-ioreg.txt  [T1082]  System Information Discovery Using Ioreg
  T1082_system-information-discovery-using-system-profiler.txt  [T1082,T1497.001]  System Information Discovery Using System_Profiler
  T1082_system-information-discovery-using-sw-vers.txt  [T1082]  System Information Discovery Using sw_vers
  T1082_system-information-discovery-via-sysctl-macos.txt  [T1082,T1497.001]  System Information Discovery Via Sysctl - MacOS
  T1518.001_system-integrity-protection-sip-disabled.txt  [T1518.001]  System Integrity Protection (SIP) Disabled
  T1547.001_system-scripts-autorun-keys-modification.txt  [T1547.001]  System Scripts Autorun Keys Modification
  T1048_tap-installer-execution.txt  [T1048]  Tap Installer Execution
  T1219.002_teamviewer-remote-session.txt  [T1219.002]  TeamViewer Remote Session
  T1685_terminate-linux-process-via-kill.txt  [T1685]  Terminate Linux Process Via Kill
  T1574.001_third-party-software-dll-sideloading.txt  [T1574.001]  Third Party Software DLL Sideloading
  T1490_time-machine-backup-deletion-attempt-via-tmutil-macos.txt  [T1490]  Time Machine Backup Deletion Attempt Via Tmutil - MacOS
  T1490_time-machine-backup-disabled-via-tmutil-macos.txt  [T1490]  Time Machine Backup Disabled Via Tmutil - MacOS
  T1070_tomcat-webserver-logs-deleted.txt  [T1070]  Tomcat WebServer Logs Deleted
  T1070.006_touch-suspicious-service-file.txt  [T1070.006]  Touch Suspicious Service File
  T1041_tunneling-tool-execution.txt  [T1041,T1071.001,T1572]  Tunneling Tool Execution
  T1548_uac-bypass-via-windows-firewall-snap-in-hijack.txt  [T1548]  UAC Bypass via Windows Firewall Snap-In Hijack
  T1548.002_uac-disabled.txt  [T1548.002]  UAC Disabled
  T1548.002_uac-notification-disabled.txt  [T1548.002]  UAC Notification Disabled
  T1548.002_uac-secure-desktop-prompt-disabled.txt  [T1548.002]  UAC Secure Desktop Prompt Disabled
  T1686_ufw-disable-attempt.txt  [T1686]  UFW Disable Attempt
  T1218_uncommon-child-process-of-addinutil-exe.txt  [T1218]  Uncommon Child Process Of AddinUtil.EXE
  T1218_uncommon-child-process-of-appvlp-exe.txt  [T1218]  Uncommon Child Process Of Appvlp.EXE
  T1059.005_uncommon-child-process-of-bginfo-exe.txt  [T1059.005,T1202,T1218]  Uncommon Child Process Of BgInfo.EXE
  T1218_uncommon-child-process-of-defaultpack-exe.txt  [T1218]  Uncommon Child Process Of Defaultpack.EXE
  T1218.008_uncommon-child-process-spawned-by-odbcconf-exe.txt  [T1218.008]  Uncommon Child Process Spawned By Odbcconf.EXE
  uncommon-child-processes-of-sndvol-exe.txt  []  Uncommon Child Processes Of SndVol.exe
  T1218_uncommon-link-exe-parent-process.txt  [T1218]  Uncommon Link.EXE Parent Process
  T1216_uncommon-sigverif-exe-child-process.txt  [T1216]  Uncommon Sigverif.EXE Child Process
  T1059_unusual-parent-process-for-cmd-exe.txt  [T1059]  Unusual Parent Process For Cmd.EXE
  T1059.001_usage-of-web-request-commands-and-cmdlets.txt  [T1059.001]  Usage Of Web Request Commands And Cmdlets
  T1564.004_use-ntfs-short-name-in-command-line.txt  [T1564.004]  Use NTFS Short Name in Command Line
  T1564.004_use-ntfs-short-name-in-image.txt  [T1564.004]  Use NTFS Short Name in Image
  T1218_use-of-the-sftp-exe-binary-as-a-lolbin.txt  [T1218]  Use Of The SFTP.EXE Binary As A LOLBIN
  T1564.004_use-short-name-path-in-command-line.txt  [T1564.004]  Use Short Name Path in Command Line
  T1059_use-of-pcalua-for-execution.txt  [T1059]  Use of Pcalua For Execution
  T1078.003_user-added-to-admin-group-via-dscl.txt  [T1078.003]  User Added To Admin Group Via Dscl
  T1078.003_user-added-to-admin-group-via-dseditgroup.txt  [T1078.003]  User Added To Admin Group Via DseditGroup
  T1078.003_user-added-to-admin-group-via-sysadminctl.txt  [T1078.003]  User Added To Admin Group Via Sysadminctl
  user-added-to-root-sudoers-group-using-usermod.txt  []  User Added To Root/Sudoers Group Using Usermod
  T1098_user-added-to-local-administrators-group.txt  [T1098]  User Added to Local Administrators Group
  T1531_user-has-been-deleted-via-userdel.txt  [T1531]  User Has Been Deleted Via Userdel
  T1216_utilityfunctions-ps1-proxy-dll.txt  [T1216]  UtilityFunctions.ps1 Proxy Dll
  T1587.001_vhd-image-download-via-browser.txt  [T1587.001]  VHD Image Download Via Browser
  T1005_veeam-backup-database-suspicious-query.txt  [T1005]  Veeam Backup Database Suspicious Query
  visual-studio-code-tunnel-remote-file-creation.txt  []  Visual Studio Code Tunnel Remote File Creation
  T1071.001_visual-studio-code-tunnel-service-installation.txt  [T1071.001]  Visual Studio Code Tunnel Service Installation
  T1071.001_visual-studio-code-tunnel-shell-execution.txt  [T1071.001]  Visual Studio Code Tunnel Shell Execution
  T1218_visual-studio-nodejstools-pressanykey-arbitrary-binary-execu.txt  [T1218]  Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
  vscode-code-tunnel-execution-file-indicator.txt  []  VsCode Code Tunnel Execution File Indicator
  T1546.013_vscode-powershell-profile-modification.txt  [T1546.013]  VsCode Powershell Profile Modification
  T1685_wdac-policy-file-creation-in-codeintegrity-folder.txt  [T1685]  WDAC Policy File Creation In CodeIntegrity Folder
  T1569.002_wfp-filter-added-via-registry.txt  [T1569.002,T1685]  WFP Filter Added via Registry
  T1546.003_wmi-activescripteventconsumers-activity-via-scrcons-exe-dll.txt  [T1546.003]  WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
  T1546.003_wmi-persistence-script-event-consumer.txt  [T1546.003]  WMI Persistence - Script Event Consumer
  T1220_wmic-loading-scripting-libraries.txt  [T1220]  WMIC Loading Scripting Libraries
  T1202_wsl-child-process-anomaly.txt  [T1202,T1218]  WSL Child Process Anomaly
  weak-or-abused-passwords-in-cli.txt  []  Weak or Abused Passwords In CLI
  T1566_webdav-temporary-local-file-creation.txt  [T1566,T1584]  WebDAV Temporary Local File Creation
  T1685_werfaultsecure-loading-dbgcore-or-dbghelp-edr-freeze.txt  [T1685]  WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
  T1105_wget-creating-files-in-tmp-directory.txt  [T1105]  Wget Creating Files in Tmp Directory
  T1547.001_winsock2-autorun-keys-modification.txt  [T1547.001]  WinSock2 Autorun Keys Modification
  winsxs-executable-file-creation-by-non-system-process.txt  []  WinSxS Executable File Creation By Non-System Process
  T1202_windows-binary-executed-from-wsl.txt  [T1202]  Windows Binary Executed From WSL
  T1685_windows-defender-exclusions-added-registry.txt  [T1685]  Windows Defender Exclusions Added - Registry
  T1113_windows-recall-feature-enabled-registry.txt  [T1113]  Windows Recall Feature Enabled - Registry
  T1566.001_windows-registry-trust-record-modification.txt  [T1566.001]  Windows Registry Trust Record Modification
  T1547.015_windows-terminal-profile-settings-modification-by-uncommon-p.txt  [T1547.015]  Windows Terminal Profile Settings Modification By Uncommon Process
  T1112_winlogon-allowmultipletssessions-enable.txt  [T1112]  Winlogon AllowMultipleTSSessions Enable
  T1547.001_wow6432node-classes-autorun-keys-modification.txt  [T1547.001]  Wow6432Node Classes Autorun Keys Modification
  T1685_write-protect-for-storage-disabled.txt  [T1685]  Write Protect For Storage Disabled
  T1546.002_writing-local-admin-share.txt  [T1546.002]  Writing Local Admin Share
  T1059_writing-of-malicious-files-to-the-fonts-folder.txt  [T1059,T1211]  Writing Of Malicious Files To The Fonts Folder
  T1059_wscript-shell-run-in-commandline.txt  [T1059]  Wscript Shell Run In CommandLine
